Privacy
Policy

01Who we are

Vitality Rich ("VR", "we", "us", "our") is a personal training and coaching service operating from Norwich, United Kingdom. For the purposes of the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations ("PECR"), the data controller is:

Vitality Rich Ltd
Norwich, United Kingdom
Email: contact@vitalityrich.fit

02What we collect

Information you give us

• Name, email address, optional phone number
• Stated training goal and preferred training mode
• For out-call bookings: physical address
• Voluntarily disclosed health information, injuries, training history, photographs (only if you provide them)
• Billing name and email at checkout (payment card details are processed directly by Stripe and never seen, received, or stored by VR)

Information collected automatically

• IP address (collected briefly for fraud prevention and rate-limiting, then discarded)
• Device, browser, approximate location (country-level only)
• Pages viewed, UTM parameters, referring URL
• Email opens and link clicks (for transactional emails only)

Information we do NOT collect

• Payment card numbers, CVC, or expiry dates
• Biometric data
• Information from third-party data brokers

03How we use your information

• To deliver the programme, session, or intro call you purchased or requested
• To respond to enquiries and provide customer support
• To send transactional emails (purchase receipts, booking confirmations, password resets)
• To send marketing emails, only where you have explicitly opted in
• To comply with legal, tax, and accounting obligations
• To detect, prevent, and address fraud, abuse, and security incidents
• To improve the service through aggregated, anonymised analytics
• To enforce our Terms of Service and protect our legal rights

04Lawful basis for processing

• Contract — processing necessary to deliver the services you purchased
• Consent — for optional marketing emails (withdrawable at any time)
• Legitimate interests — fraud prevention, security, anonymous analytics, and enforcing our rights, where such interests are not overridden by your rights and freedoms
• Legal obligation — HMRC and accounting record-keeping

05Who we share with

We use a small number of processors, bound by written data-processing agreements:

• Stripe Payments UK Ltd — payment processing (PCI DSS Level 1)
• Supabase Inc. — database and encrypted file storage
• Resend — transactional and marketing email delivery
• Cal.com — booking scheduling (if used)
• Hosting provider — static site delivery

We may also disclose your information where required to do so by law, court order, or regulatory authority, or where necessary to establish, exercise, or defend legal claims. We will never sell, rent, or trade your personal data.

06International transfers

Some of our processors are based outside the UK/EEA. Where personal data is transferred outside the UK/EEA, we rely on adequacy decisions, Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, or equivalent safeguards approved under UK GDPR.

07Retention

• Lead-form data: up to 24 months after last interaction, then deleted or anonymised
• Purchase, booking, and invoice records: 7 years from the end of the relevant tax year (HMRC requirement)
• Session notes and training records: up to 3 years after the last session
• Marketing list: until you unsubscribe, then removed within 30 days
• Security logs: up to 12 months

We may retain anonymised or aggregated data indefinitely for statistical purposes.

08Your rights

Under UK GDPR you have rights of access, rectification, erasure, restriction, portability, and objection, as well as the right to withdraw consent at any time and to lodge a complaint with the Information Commissioner's Office (ico.org.uk). These rights are not absolute and may be limited where we have a legal obligation or legitimate interest in continuing to process the data.

To exercise any of these rights, email contact@vitalityrich.fit. We'll respond within 30 days. We may need to verify your identity before acting on a request.

09Cookies

We use a small number of cookies and similar technologies:

• Strictly necessary — remember session state, booking progress, theme choice. Cannot be disabled.
• Analytics — anonymised, aggregate page-view counts. No cross-site tracking, no ad identifiers.

We do not use Facebook Pixel, Google Ads tags, session-recording tools, or behavioural advertising.

10Refunds

11Security

We use industry-standard technical and organisational measures: TLS in transit, AES-256 at rest, multi-factor authentication on admin accounts, principle of least privilege, and regular backups. No system is 100% secure. You acknowledge that you provide your data at your own risk, and that VR cannot guarantee absolute security. In the event of a notifiable breach, we will notify you and the ICO within 72 hours where required by law.

12Children

Our services are intended for users aged 18 and over. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us with personal data, contact us and we will delete it.

13Changes to this policy

We may update this policy at any time. The "Effective" date at the top reflects the latest version. Material changes will be notified by email or a prominent site notice. Continued use of the service after the effective date constitutes acceptance of the updated policy.

14Contact

Email: contact@vitalityrich.fit
Post: Vitality Rich Ltd, Norwich, UK
Response time: within 30 days (typically under 48 hours)

If we cannot resolve your concern, you have the right to complain to the Information Commissioner's Office at ico.org.uk.