Book My Free Trial
Book My Free Trial

RGA Salford Privacy Policy

Version 1.1 | Effective date: 24th of March 2026

Data Controller: Roll Stars JJ Ltd, a company registered in England and Wales, company number 14516899
Registered address: C/O Fft, Reedham House, 31 King Street West, Manchester, M3 2PJ
Trading as: Roger Gracie Academy Salford
Data protection contact: Mike Dorrian
Email: info@rgasalford.co.uk
ICO registration number: Pending registration

1. About This Policy

1.1 This Privacy Policy explains what personal data we collect about you, why we collect it, how we use it, who we share it with, and how long we keep it. It also tells you about your rights under UK data protection law and how to use them.

1.2 This policy applies to everyone who interacts with us, including members, trial participants, parents and guardians of child students, website visitors, and anyone who contacts us with an enquiry.

1.3 We handle your personal data in line with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1.4 Please read this policy alongside our Terms and Conditions and Membership Terms, which are available on our policies page. If you have questions about how we handle your data, please contact us at info@rgasalford.co.uk.

2. Who We Are

2.1 Roll Stars JJ Ltd, trading as Roger Gracie Academy Salford, is the data controller for the personal data described in this policy. As the data controller, we decide why and how your personal data is used.

2.2 We are registered with the Information Commissioner’s Office (ICO), the UK’s data protection regulator. Our registration number is shown in the contact box at the top of this policy. You can verify it on the ICO’s public register at ico.org.uk.

2.3 We have nominated a data protection contact who oversees how we handle personal data and can answer any questions you have about this policy. You can reach them at info@rgasalford.co.uk.

3. What Personal Data We Collect

3.1 We collect and process the following categories of personal data:

Category What this includes
Identity and contact data Full name, date of birth, home address, email address, phone number
Health and medical data Medical conditions, injuries, disabilities, allergies, and any other health information relevant to safe training
Emergency contact data Name, relationship, and contact details for a nominated emergency contact
Financial and billing data Payment method type, billing address, and transaction history. We do not store full card or bank account numbers directly. These are handled by our payment processor
Membership and training data Membership type and start date, belt rank and grade history, attendance records, session bookings, and coaching notes relevant to your progress
Communications data Records of messages, emails, enquiries, and support requests sent to us, and your marketing preferences
Technical and website data IP address, browser type, pages visited, time spent on our website, and other data collected through cookies and analytics tools
Images and video Photographs and video footage taken at the academy for marketing and communications purposes
CCTV footage Images recorded by our CCTV system, where installed at our premises

3.2 Health and medical data is classed as special category data under UK GDPR and receives additional legal protection. We ask for it so that your coaches can look after you safely during training. For example, knowing about a severe allergy, a cardiac condition, asthma, or a learning difficulty helps us adapt how we coach and respond if something happens. Sharing health information with us is voluntary and is not a condition of membership. We will always tell you at the point of collection why we are asking for specific information.

3.3 We do not collect or retain any other special category data, such as racial or ethnic origin, political opinions, religious beliefs, trade union membership, biometric data, or data about sexual orientation. If you share information of this kind with us, we will not record it or use it.

4. How We Collect Your Data

4.1 We collect personal data through the following means:

  1. Online registration, membership, enquiry, and health declaration forms on our website
  2. Trial class bookings made through our customer relationship management system (CRM)
  3. Paper forms or signed documents completed during enrolment, where applicable
  4. Communications you send to us by email, phone, or through our website
  5. Our gym management software, through which members book sessions, track attendance, and manage their accounts
  6. Cookies and analytics tools when you visit our website
  7. CCTV cameras on our premises, where installed
  8. Photography and video taken at the academy, where consent has been given

4.2 Where we ask you to provide personal data, we will always tell you why we are asking for it at the point of collection.

4.3 If you provide us with the personal data of a third party, such as an emergency contact or a child you are enrolling, you are responsible for ensuring you are entitled to share that data with us and, where possible, that the person is aware their details are being passed to us.

5. Our Lawful Basis for Processing

5.1 UK data protection law requires us to have a clear reason for every type of personal data we collect and use. The table below explains the reason that applies to each category of data.

Data category Our reason for using it Why this applies
Identity and contact data To fulfil our contract with you; our legitimate business interest in running the academy We need this to manage your membership and communicate with you. For trial and enquiry contacts, we have a legitimate interest in responding and following up
Health and medical data Your consent. In a genuine emergency, to protect your vital interests Where you choose to share health information with us, you give your consent for us to hold and use it to keep you safe in training. In a genuine emergency we may also use health data to protect your life or someone else’s, even without prior consent
Emergency contact data To protect your vital interests; our legitimate business interest in member safety Held so we can contact someone on your behalf if you are injured or taken ill
Financial and billing data To fulfil our contract with you; our legal obligation to maintain financial records Required to process payments and keep records as required by HMRC
Membership and training data To fulfil our contract with you; our legitimate business interest in delivering and improving the service Used to deliver the membership you have paid for and to track and support your progress
Communications data: responding to enquiries and messages Our legitimate business interest in communicating with members and prospective members We have a genuine business reason to respond to and keep records of communications
Communications data: marketing updates to existing members Our legitimate business interest in keeping existing members informed We may send existing members relevant updates about our services by email or text without a separate marketing opt-in, provided those messages relate to similar services and we make it easy to unsubscribe. Members can opt out at any time
Communications data: marketing to new contacts or by post Your consent We only send marketing to people who are not yet members, or any postal marketing, where prior consent has been given
Technical and website data Our legitimate business interest in running and improving our website (essential functions); your consent (non-essential cookies) Non-essential cookies, including those used for advertising and analytics, are only placed with your prior consent via our CookieYes tool
Images and video Your consent We only use identifiable photographs or footage for marketing purposes where you, or for a child their parent or guardian, have given written consent
CCTV footage Our legitimate business interest in the security of our premises and the safety of people in them CCTV helps us keep the building secure and respond to incidents

5.2 Where we rely on your consent to use your data, you have the right to withdraw that consent at any time. Withdrawing consent does not affect anything we did lawfully before you withdrew it. To withdraw consent, please contact us at info@rgasalford.co.uk.

6. How We Use Your Personal Data

6.1 We use your personal data for the following purposes:

  1. Processing your membership application, managing your account, and delivering the training you have signed up for
  2. Communicating with you about your membership, bookings, timetable changes, and academy news
  3. Tracking your attendance, belt rank, and progress so your coaches can support you effectively
  4. Processing your payments and maintaining accurate financial records
  5. Using any health or medical information you have chosen to share with us to keep you safe during training and to help our coaches support you appropriately
  6. Contacting your nominated emergency contact if you are injured or unwell and unable to contact them yourself
  7. Responding to enquiries and supporting you with any questions or concerns you raise
  8. Sending you information about our services, events, promotions, and updates where we have a lawful basis to do so
  9. Monitoring and improving our website using analytics and behaviour data
  10. Operating and maintaining the security and safety of our premises
  11. Meeting our legal and regulatory obligations

6.2 We will not use your personal data for any purpose that is incompatible with the purposes listed above. If we ever want to use your data for a new purpose, we will contact you with details before doing so.

7. Third Parties and Data Processors

7.1 We share your personal data with certain third parties in order to operate our academy and deliver our services. Some act as data processors, meaning they handle data on our behalf and under our instructions only. Others act as independent data controllers and are separately responsible for their own compliance.

7.2 The table below lists the third parties we currently work with.

Third party Purpose Data shared
GoHighLevel Customer relationship management, lead and enquiry tracking, trial bookings, and automated follow-up communications Name, contact details, enquiry and booking information, communications history
Quill Forms Online registration, membership, and health declaration forms Name, contact details, health data, and any other information submitted through our online forms
GymDesk Membership management, session booking, attendance tracking, and belt rank records Name, contact details, membership data, attendance, belt rank, and training history
GoCardless Processing recurring membership payments by direct debit Name, billing address, bank account details (handled by GoCardless), and transaction history
Square Processing one-off payments for merchandise, uniforms, and other purchases Name, payment card details (handled by Square), and transaction history
CookieYes Cookie consent management: recording and managing your cookie preferences on our website Your consent preferences and the date and version of consent given
Google Analytics Website usage analytics Anonymised data on pages visited and session behaviour. Only active where cookie consent has been given
Google Tag Manager Managing analytics and marketing tracking tools on our website Technical website data. Marketing and analytics tags only fire where cookie consent has been given
Meta (Facebook and Instagram) Paid advertising and ad performance tracking. We use two methods to share data with Meta: the Meta Pixel on our website, and the Meta Conversions API (CAPI), which sends data to Meta server-side from our CRM and our website. For data shared via the Pixel, we and Meta may share responsibility up to the point it is transmitted to Meta. Meta then processes all data under its own privacy policy Via the Pixel: technical website data (IP address, browser, pages visited), only where cookie consent has been given. Via the Conversions API: hashed versions of your email address, phone number, name, and IP address, along with event data such as enquiries submitted and trial bookings made, only where cookie consent has been given
Microsoft Clarity Website behaviour analytics including heatmaps and session recordings Anonymised interaction data. Only active where cookie consent has been given
Google Workspace Email, document storage, and internal communications Any personal data contained in emails and documents we create and store

7.3 Where a third party processes data on our behalf, they are contractually required to handle it securely, use it only as we instruct, and comply with UK GDPR. We do not sell your personal data to any third party.

7.4 Some of the third parties listed above may store or process your data outside the UK. Where this happens, we make sure that appropriate legal safeguards are in place to protect your data. You can ask for more information about these safeguards by contacting us at info@rgasalford.co.uk.

7.5 We may also share your personal data with law enforcement agencies, courts, or other authorities where we are legally required to do so, or where we reasonably believe it is necessary to protect someone’s safety.

8. Cookies

8.1 Our website uses cookies. We use CookieYes to manage cookie consent, and non-essential cookies will only be placed on your device where you have given your prior consent through the cookie banner on our website. You can update your preferences at any time using the cookie settings link in our website footer.

8.2 Full details of the cookies we use, what they do, how long they last, and how to manage your preferences are set out in our Cookie Policy, which is available on our policies page.

9. CCTV

9.1 We operate CCTV at our premises for the safety and security of everyone in our building and the protection of our property. Footage is held securely and retained for 30 days before being automatically overwritten, unless a specific recording needs to be kept in connection with an incident or legal matter.

9.2 Full details of how we operate our CCTV system, including camera locations and access controls, are set out in our CCTV Policy, which is available on our policies page.

10. Photography and Video

10.1 We may take photographs and video footage at our academy for use in our marketing and communications. We will only use identifiable images of you for marketing purposes where you, or for a child their parent or guardian, have given written consent. You may withdraw that consent at any time by contacting us at info@rgasalford.co.uk.

10.2 Full details of how we manage photography and video at the academy, including the consent process, are set out in our Media Consent Policy, which is available on our policies page.

11. Children’s Data

11.1 Where a child under the age of 18 trains with us, we collect and process personal data about that child as part of the normal membership and safety processes described in this policy. For children, the parent or guardian acts as the contracting party and provides consent for photography and video where applicable.

11.2 Children’s personal data is handled with additional care. Access is restricted to authorised staff and coaches who need it to deliver training safely.

11.3 Older children and teenagers may, depending on their level of understanding and maturity, be able to exercise certain data rights independently. If you are a parent or guardian with a question about your child’s data, or a young person wishing to exercise your own rights, please contact us at info@rgasalford.co.uk.

11.4 Our Safeguarding Policy sets out the wider responsibilities we have towards the welfare of children in our care and is available on our policies page.

12. How Long We Keep Your Data

12.1 We keep your personal data for only as long as we need it. The table below sets out our retention periods for each category of data.

Data category Retention period Reason
Membership and contact data Duration of membership plus 6 years To handle post-membership queries and meet legal obligations
Health and medical data (adults) Duration of membership plus 6 years In case of a delayed injury claim arising from training
Financial and billing records 7 years from the end of the relevant tax year Required by HMRC
Children’s data: identity, contact, health, and training records Until the child reaches the age of 25, or 6 years after their last attendance, whichever is longer To cover any injury claim that could be brought once the child reaches adulthood. Financial records for children follow the 7-year HMRC rule, which may run at the same time
Safeguarding records relating to a child Until the child reaches the age of 25, or at least 7 years after their last attendance, whichever is longer In line with statutory guidance on safeguarding record keeping
CCTV footage 30 days, unless retained for a specific incident Routine security purposes only
Trial and enquiry data 24 months from the date of last contact To handle follow-up enquiries
Marketing consent records While subscribed, plus 2 years after unsubscribing To demonstrate that consent was validly given or withdrawn
Images and video Until consent is withdrawn, or until we no longer have a use for the material, whichever is sooner We will not retain or use images once consent has been withdrawn
Emails, enquiries, and support messages 3 years from the date of last communication To handle any follow-up queries or disputes
Website analytics data 26 months To monitor website performance over time

12.2 When your data is no longer needed, we will delete or anonymise it securely. Where immediate deletion is not possible, for example because data is held in backup systems, we will isolate it from further processing until deletion can be carried out.

13. Your Rights

13.1 Under UK GDPR and the Data Protection Act 2018, you have the following rights in relation to your personal data:

  1. The right to be informed. You have the right to know what personal data we hold about you and how we use it. This policy fulfils that right.
  2. The right of access. You have the right to ask for a copy of the personal data we hold about you. This is known as a Subject Access Request. See Section 14 for how to make one.
  3. The right to rectification. If any data we hold about you is inaccurate or incomplete, you have the right to ask us to correct it.
  4. The right to erasure. In certain circumstances, you have the right to ask us to delete your personal data. This right does not apply where we have a legal obligation to keep the data or where we need it to deal with a legal claim.
  5. The right to restrict processing. In certain circumstances, you can ask us to pause using your data while a dispute is being resolved, without asking us to delete it entirely.
  6. The right to data portability. Where we process your data by automated means on the basis of consent or contract, you have the right to receive it in a commonly used format and, where technically possible, to have it transferred directly to another organisation.
  7. The right to object. You have the right to object to us using your data on the basis of our legitimate business interests. We will stop unless we can show a compelling reason that outweighs your rights. Where you object to us using your data for direct marketing, we will always stop with no exceptions. Contact us at info@rgasalford.co.uk to opt out.
  8. The right to object to profiling. We use automated systems in our CRM to send follow-up messages based on your behaviour, for example if you enquired but did not book. This does not make any significant decisions about you automatically, but you have the right to object to it at any time by contacting us at info@rgasalford.co.uk.
  9. The right to withdraw consent. Where we rely on your consent to use your data, you can withdraw it at any time. This will not affect anything we did lawfully before you withdrew it.
  10. The right to complain. You have the right to complain to the ICO if you believe we have not handled your personal data lawfully. Section 15 explains how to do this.

13.2 To exercise any of these rights, please contact us at info@rgasalford.co.uk. We will respond within one month. In complex cases we may take up to three months, but we will let you know within the first month if that is the case.

13.3 We will not charge you for exercising your rights in most circumstances. If a request is clearly unfounded or excessive, we may charge a reasonable fee or decline to respond, and we will tell you if that applies.

14. How to Make a Subject Access Request

14.1 A Subject Access Request gives you the right to receive a copy of the personal data we hold about you, along with information about why we hold it, where we got it from, who it has been shared with, and how long we intend to keep it.

14.2 To make a Subject Access Request, please follow these steps:

  1. Send your request by email to info@rgasalford.co.uk.
  2. Include your full name, the email address we hold for you, and your membership number or account reference if you know it.
  3. Tell us what data you are looking for. If you want everything we hold, simply say so. If you are looking for data from a specific period or category, please describe it.
  4. We may need to verify your identity before releasing any data and will let you know within a few days if we need anything from you.
  5. We will provide your data within one month of receiving a valid request.

14.3 If you are making a request on behalf of a child, please confirm your relationship to the child and include their full name and date of birth. Where a child is of sufficient age and maturity to act independently, we may seek confirmation from them before releasing data to a parent or guardian.

15. Complaints and the ICO

15.1 If you have a concern about the way we handle your personal data, please contact us first at info@rgasalford.co.uk. We will do our best to resolve your concern promptly and fairly.

15.2 If you are not satisfied with our response, or if you believe we have not handled your data lawfully, you have the right to complain to the ICO.

15.3 You can contact the ICO in the following ways:

  1. Online: ico.org.uk/make-a-complaint
  2. By phone: 0303 123 1113
  3. By post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

15.4 We would always prefer to hear from you directly before you contact the ICO, so please give us the opportunity to put things right first.

16. Changes to This Policy

16.1 We may update this Privacy Policy from time to time. When we do, we will update the version number and effective date at the top of this page.

16.2 If we make a significant change to how we use your personal data, we will let you know by email or by placing a notice on our website before the change takes effect.

16.3 We recommend reviewing this policy from time to time so you are always aware of how we handle your data.

This Privacy Policy was last updated on 24th of March 2026 and is version 1.1.