Summary: IRONFORGE collects only the data needed to deliver coaching services, manage your membership, and keep our facilities safe. We do not sell your personal data. This policy is incorporated by reference into our Terms & Conditions.
Data We Collect
We collect the following categories of personal data:
- Identity data — name, date of birth, photograph for facility access
- Contact data — email address, phone number, postal address
- Health & fitness data — body composition measurements, performance metrics, training history, and any medical conditions you disclose
- Payment data — billing details processed by PCI-DSS-compliant third-party processors; we never store full card numbers
- Usage data — facility check-ins, class attendance, and app activity
Data You Provide vs. Data We Generate
Most data comes directly from you at registration or during coaching sessions. We also generate derived data — such as progress trends and program recommendations — from your training history.
Why We Collect It
We process your personal data for the following purposes:
- Delivering and personalising coaching services and training programs
- Managing your membership, bookings, and billing
- Ensuring facility safety and enforcing community standards
- Communicating schedule changes, program updates, and service notices
- Improving our services through aggregated, anonymised analytics
IMPORTANT Health and fitness data is collected solely for the purpose of delivering and improving our coaching services. It is never sold to third parties. It may be shared with your assigned coaches and, where required by law, with regulated health or legal authorities.
Legal Bases
We rely on the following legal bases for processing:
- Contract — processing needed to deliver the membership and programs you signed up for
- Consent — health data disclosures, marketing communications, and progress photography
- Legitimate interest — facility security, fraud prevention, and service improvement
- Legal obligation — tax records, safety incident reports, and lawful requests from authorities
You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.
Sharing & Third Parties
We share personal data only with:
- Your assigned coaches — training and health data needed to coach you safely
- Payment processors — billing details required to process recurring payments
- Service providers — booking, messaging, and analytics platforms bound by data-processing agreements
- Authorities — where disclosure is required by law or necessary to protect vital interests
We never sell, rent, or trade your personal data to any third party for marketing purposes.
Data Retention
We retain personal data only as long as necessary:
- Active membership data — for the duration of your membership
- Financial records — 7 years, as required by tax law
- Health & training data — deleted or anonymised within 12 months of membership termination, unless you request earlier deletion
- CCTV footage — 30 days, unless retained for an active safety investigation
Your Rights
You have the right to:
- Access — request a copy of the personal data we hold about you
- Rectification — correct inaccurate or incomplete data
- Erasure — request deletion of your data where no legal basis requires retention
- Portability — receive your data in a structured, machine-readable format
- Objection — object to processing based on legitimate interest, including marketing
To exercise any of these rights, contact [email protected]. We respond to all verified requests within 30 days.
Cookies & Analytics
Our website uses only strictly necessary cookies for core functionality (theme preference, session state). We use privacy-respecting, aggregated analytics that do not track you across other websites. No advertising cookies or cross-site trackers are used.
Security
We protect your data with industry-standard measures, including encryption in transit and at rest, role-based access controls, and regular security reviews. Facility access systems and member applications require individual authentication.
IMPORTANT If we become aware of a data breach affecting your personal data, we will notify you and the relevant supervisory authority without undue delay, and in any case within 72 hours of becoming aware of it.
Changes & Contact
We may update this policy from time to time. Material changes will be announced by email at least 30 days before they take effect. The version number and effective date at the top of this page indicate which version is currently in force.
Questions about this policy or our data practices should be directed to [email protected].
Document Information
Privacy Policy · v1.0 · Effective January 1, 2026