Halo’s Privacy Promise to Our Customers

This privacy promise is our commitment to put our customers in control of what happens to their data. There are separate policies for:

• Prospective, current and former employees
• Suppliers and Business Customers

Our privacy promise is all about transparency and trust.

How we use your information

This document tells you what to expect when we collect personal information. It applies to information we collect about:

• Visitors to Halo centres
• Visitors to our websites and other electronic activity
• Visitors who use our fitness equipment and use technology in our centre to track health, lifestyle and activity

Halo Leisure Services Ltd is the data controller for the information you provide unless otherwise stated.

Visitors to Halo centres

Safety and Security

Halo operates CCTV at it centres for the purposes of crime prevention and security. We keep these images  for no more than four weeks. CCTV footage will be shared with the relevant body, eg the police, insurance company as necessary to recover losses.

Any visitors who have or witness an accident or dangerous incident are required to report the details to a member of staff. Details of the accident/incident including your name, age, contact number and details of any injuries will be collected. These will be shared with our insurers and legal representatives as necessary. Unless required for an ongoing legal case, accident forms and witness statements are kept for three years and then securely destroyed.  

Car Parking at Hereford Leisure Centre and Leominster Leisure Centre

We’ve partnered with Corporate Parking Management to manage the pay and display parking at Hereford Leisure Centre and Leominster Leisure Centre. Halo Leisure along with CPM are the joint controllers of all car parking data:

• When you enter the car park at Hereford Leisure Centre, CPM collect and process data comprising images of vehicles using the car park and/or the Vehicle Registration Mark (VRM).
• When you are parked at Hereford Leisure Centre or Leominster Leisure Centre, SPM wardens may collect and process data comprising images of vehicles using the car park and/or the VRM.
• When you enter your VRM into pay and display machine at Hereford Leisure Centre, this data is received and controlled by CPM. The pay and display machine is the property of CPM and Halo has no access to this data.
• At Hereford Leisure Centre, when you pay for your parking at reception or have free parking validated, Halo employees access a secure portal controlled by CPM to enter a pseudonymised reference number (your member ID) and  your VRM.  Halo and CPM are joint controllers of this data.
• In the event of an infringement of the parking terms and conditions CPM may share your data with the Driver and Vehicle Licensing Agency.

People who book activities or are registered users in Halo centres

We collect the name and contact details of people who pre-book activities in Halo centres or are registered Halo card holders.

• We would like to collect a mobile phone number so that we can contact you if there are any issues with your booking or registration but we will also be happy with a landline phone number, email address or postal address instead.

We’ll also take your photo for identification purposes.

We use this data to ensure that activities and entitlements are allocated correctly on arrival.

This information is stored in our membership management system. You will occasionally be asked to re-consent to us holding your information.

People who have a Halo membership agreement

We need to collect additional information from people who have a Halo membership agreement. We use this to manage the contract between us. Additional information collected is:

• Bank details, including account number and sort code (for customers who pay by Direct Debit)
• Payment dates and payment history
• Email address
• Postal address

This information is stored in our membership management system.

• Bank details for Direct Debit payments are communicated to our bank using BACS approved online software hosted by a third party provider called Access Pay. We communicate with Access Pay over a secure FTP channel using automated, encrypted file upload and multi-factor authentication.

Face Recognition Software

We use face recognition software provided by CCTech Ltd.

Your digital image is processed by and on behalf of Halo for the sole purpose of controlling access to the centre under your membership contract. Halo is in control of your personal data within the CCTech Ltd software.

• We will process your image solely on the legal basis that it is necessary for the performance of the membership contract in regard to access and use of Halo centre facilities. Your image is classified as biometric data and collected and processed on the basis of your explicit consent.
• Your image will be retained for the duration of your membership contract and for six months following the last day of your membership. Halo Leisure are the Data Controller.
• We will use your image data solely for the purpose it was provided, other than for legally permitted exceptions.
• Your image will be accessed only by appropriate authorised users for the specified purposes.
• The images will be stored on secure AWS servers within the European Union under contract to CCTech Ltd who act as a processor of the data.
• A copy of the image will also be stored on locally based secure servers at all Halo centres where face recognition is in use.
• Your member ID, first name and surname will also be stored on these servers.

Additional controls relating to children who use Halo centres

For children aged under 13 years of age, we will only collect and process data with the consent of the child’s parent or guardian. After children reach their 13th birthday, they will be informed of what information we hold on them and the purposes for holding this.

Parents or guardians registering for online progress updates about their children on coaching courses must provide the Halo membership number, date of birth and postcode of the child to ensure they only have access to course information about children they have permission to view. Users are responsible for the safety and security of their own log in details including username and password.

People who receive discounts

We collect additional details for people who apply for or receive discounts in Halo centres. We use these to ensure the discount is allocated correctly. Depending on the discount requested, additional information collected will be one or more of the following:

• Date-of-birth (for age based discounts)
• Employer/Group/Club (for Active Together group discounts)
• Welfare and Means Tested Benefit entitlement
• Defence Discount ID  to receive free swimming in Bridgend County Borough

• If you receive a discount because of a disability or because you are in receipt of benefits this information will be collected.

This information is stored in our membership management system.

Customers who take part in activities funded by Herefordshire Council

Customers who take part in schemes or activities funded by Herefordshire Council may have their usage tracked in order to assess the effectiveness of the scheme.

If you have given consent you may receive questionnaires asking for feedback on the free sessions or on how the schemes have impacted your health, wellbeing and activity levels. The results of these questionnaires will be collected by Herefordshire Council.

People who are enrolled in the National Exercise Referral Scheme

The National Exercise Referral scheme is an evaluated project examining the impact of physical activity on your health. It is run in our Bridgend County Borough centres by Halo on behalf of the Welsh Local Government Association and Public Health Wales.

If you are recommended to take part in the programme, you will be asked to give your GP, practice nurse or other health care practitioner consent to provide us with your name and address information.

Your contact details will be added to a national database, hosted by the Welsh Government Data Unit.

We will write to you to invite you to participate. If you do not respond to us within 3 weeks we will destroy the information we have been provided, by shredding, and mark in the national database that  you have not taken part in the scheme.

In addition to the standard membership data listed above, if you participate in the scheme we will collect the following personal and health details and record these in the national database, hosted by the Welsh Government Data Unit, for evaluation purposes.

• Full address
• Date-of-birth
• Health details:

• Height
• Weight
• Blood Pressure
• BMI
• Relevant past medical history

In addition to these, we use a range of appropriate questionnaires for evaluation purposes. These include:

• Scottish Physical Activity Questionnaire ( SPAQ)
• EQ-5- DLQuality of Life Questionnaire

When used for evaluation and reporting your individual information will be anonymised.

Your details will be securely stored on paper for a maximum of 16 weeks and thereafter any paper copies of your records are destroyed. Your digital information will remain in the national database. Your information will not be shared with any other parties unless listed above.

You will have the right to withdraw from this process at any point during your 16 week membership and can do so by contacting a member of the referral team.

People who are referred by the NHS or other medical practitioner

Halo runs a referral scheme alongside the NHS and other local medical practitioners.

If you are recommended to take part in the programme, you will be asked to give your GP, practice nurse or other health care practitioner consent to provide us with your name and address information.

We will contact you to invite you to participate. If you do not respond to us within 3 months we will destroy the information we have been provided, by shredding.

In addition to the standard membership data listed above, if you participate in the scheme we will collect the following personal and health details.

• Full address
• Date-of-birth
• Health details:

• Height
• Weight
• Blood Pressure
• BMI
• Relevant past medical history

In addition to these, we use a range of appropriate questionnaires for evaluation purposes. These include:

When used for evaluation and reporting your individual information will be anonymised.

Your details will be securely stored on paper for the duration of the program and thereafter any paper copies of your records are destroyed 12 months after termination of the program.

You will have the right to withdraw from this process at any point.

Activity profiling

We request gender, date-of-birth and postcode information from all customers.

We use this information and other information collected and stored in our membership management system in reports. It is always fully anonymised or pseudonymised.

• Customers are not required to provide this information in order to access our services but if they consent it helps us to make sure we are succeeding in our mission to create healthier communities.

Use of customer data for marketing purposes

We will always ask you to consent before using any information you have given to us for direct marketing activity. You can state your communication preferences – email, text, letter or phone call.

• We will not make your information available to third parties to use for marketing purposes – or any purposes other than those outlined in this policy – without your express consent.

Customers have the option to withdraw consent for marketing communication at any time – instructions on how to do this will be included in any communications we send you.

E-newsletter and other electronic customer communications

If you have consented to receive marketing from us, we use a third party provider, Legend Leisure Services, to deliver our monthly e-newsletters and other e-customer communications. We gather statistics around email opening and click rates using industry standard technologies including clear gifs to help us monitor and improve our e-newsletter.

Membership management system

We store customer data in a membership management system provided by Legend Leisure Services Ltd. All data is encrypted in transit and at rest. In addition to the information that you have provided us with, we collect information about your past and future bookings, attendance, purchases and member account history. Legend Leisure Services Ltd will not use your data for any purpose not outlined in this policy.

Printed letters and communications sent to your home

We use two external companies to print and post letters directly to your home – Legend Leisure Services and Brief Your Market. Both third parties have been awarded the Certificate of Registration – Information Security Management System ISO/IEC 27001 for their good practice in data handling and security.

Customer scoring

We use information we have collected about you in our membership management system to profile your account into one of four categories: very high risk, high risk, medium risk and low risk. The risk relates to your likelihood of upgrading or cancelling your account. If you have consented to receive marketing information from us the category we have assigned may affect the content of the messages we send you.

Membership management system data retention policy

If you have a Halo card but do not have a membership agreement, nine months after your last visit your account, which contains your personal information, will enter a cancellation process, which will take up to 30 days to conclude.

If you have a membership agreement, your account will be cancelled on the day your agreement ends.

• Once the account containing your personal information is cancelled, we will retain your information in our membership management system for a further six months.

After six months we will archive your personal information from our membership management system. This means we will redact all information which would allow us to personally identify you. We will retain anonymised activity profiling information.

If you would like us to remove your personal information from our membership management system sooner than the automated schedule, please contact us by writing to the address below. We will aim to remove your data within 30 days.

Please note that we reserve the right to retain data where we have a legitimate interest in doing so. Examples include but are not limited to situations where there is a contract between us, there is an outstanding payment on your account or there is an important operational or security reason for retaining your information in our live systems. We will advise you in writing should you request to be forgotten and we are not able to fulfill your request. 

Enquiries

People making enquiries through email, phone, social media, letter or face to face may be asked to provide contact details which are recorded in Halo’s membership management system to allow the enquiry to be answered by the relevant member of staff. We will ask if you are happy for your details to be used for future marketing purposes.

Visitors to our websites and other electronic activity

We operate three public websites:

• www.haloleisure.org.uk
• www.furlongfury.co.uk
• https://halo.legendonlineservices.co.uk

When someone visits our websites we use a third party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website unless express consent has been given by the individual to do so by allowing the relevant cookies to be stored on your device for the purpose of our remarketing programs. If we want to collect personally identifiable information through our website, we will be up front about this. We will make it clear when we collect personal information and will explain what we intend to do with it.

Online access to our bookings and memberships is via https://halo.legendonlineservices.co.uk. This is an encrypted connection to our membership management system. In order to manage and control access, we will collect your email address. You are responsible for the safety and security of your own log in details including username and password.

Use of cookies on online tools and transactions

When we provide services, we want to make them easy, useful and reliable. Where services are delivered on the internet, this sometimes involves placing small amounts of information on your device, for example, your computer or mobile phone. These include small files known as cookies. They cannot be used to identify you personally. You can read more about how we use cookies in our cookies policy

AI Usage Statement

HALO LEISURE is actively exploring how we could and should integrate elements of AI technology into our ways of working, to deliver better outcomes for members.  At this point, we see ‘human-in-the-loop’ – aka our human involvement to check, edit and improve AI-supported activities as fundamental. We believe that the intelligent use of AI tools has the potential to improve the value we deliver for members by automating some repetitive, rules-based activities and automating answers to enquiries via the HALO help desk or web site thereby improving response times and accuracy of information.

HALO LEISURE has enabled a service that will take a question, typed into a chatbot by a customer or member of the public and use only information provided by Halo to answer the question in a conversational way. The system uses generative AI to provide an answer to the user’s question based on the information provided by Halo. It will only be used to answer general FAQs.

Given the proliferation of technologies that have emerged in the last year, we are still reviewing various tools to find the solutions that work best for our members’ needs. As our use of these tools become more established in the future, we anticipate being able to funnel more of our energy into the delivery of  quality support to our members, as well as taking our reporting and analysis to the next level to drive even more value for members.

Customer satisfaction reporting

From time to time, we will email you to request feedback about the service you have received in a Halo Centre. The email will contain a link to REVIEWS.io where you will be invited to leave your review. You may opt out of this service.

If you choose to respond to this request, you will be directed to REVIEWS.io who will automatically generate a personal account and collect the following personal data about you:

• Your Name (this will be public unless you have chosen to be anonymous)
• Your email address
• Social Media Profile (optional, if added)

REVIEWS.io becomes the Data Controller once you have written a review. Halo has access to this data as a Data Processor.

REVIEWS.io stores data relating to Halo’s customers in the UK only.

Security and performance

Halo uses third party services (Wye Host Ltd and Big Wave Media Services Ltd)  to help maintain the security and performance of the Halo website. To deliver this service it processes the IP addresses of visitors to the Halo website.

People who contact us via social media

We use a third party provider, Oktopost to manage our social media interactions.

If you send us a private or direct message via social media it will not be shared with any other organisations.

People who contact us by phone

When you call us, we collect Calling Line Identification (CLI) information. We use this information to help improve the efficiency and effectiveness of our services. Your phone number will be stored in our database for reporting and customer service purposes.

People who email us

We use Transport Layer Security (TLS) to encrypt and protect email traffic. If your email service does not support TLS, you should be aware that any emails we send or receive may not be protected in transit.

We also monitor emails sent to us, including file attachments, for viruses or malicious software. Please be aware that you have a responsibility to ensure that any email you send is within the bounds of the law.

We discourage our in-house users from using other people’s personal information in emails. For example when we are communicating about a customer we will use a pseudonymised key rather than the customer’s name. This key requires access to the membership management system to access personal information.

Emails that we send or receive automatically enter a 30 day deletion process 365 days after their send date. Due to the way email applications attach previous replies to new messages, this may mean that some personal information is retained longer than our email retention period.

Attachments or contents of emails may be stored outside of the email application where they are covered by another party of our data retention policy. For example, personnel files received by email will be stored in the relevant personnel file and are subject to the relevant data retention policy.

General electronic document storage

All of our day to day business documentation is prepared and stored using G-Suite, which is a brand of cloud computing, productivity and collaboration tools, software and products developed by Google.

You can read about Google’s Security and Compliance approach here.

General documents are stored for up to 275 days.  At the beginning of the month after documents reach 180 days old, they enter a 60 day automatic deletion process. Internal document owners can flag individual documents or folders for longer retention subject to the guidelines laid out elsewhere in this document.

Visitors who use our fitness equipment and use technology inside or outside our centres to track and support health, lifestyle and activity 

In our gyms and group exercise studios we use some external companies to provide additional services such as personalised profiles and programmes. Halo undertake a thorough assessment of these providers and we believe them to be safe for our customers to use. You are not required to sign up to any of these tools as part of your agreement/usage with Halo. Any information you provide to these third parties is outside the control of Halo.  The following third parties are used:

• Johnson Health Tech and Matrix Fitness – Johnson Privacy Policy
• MYZONE Heart Rate Monitors – Myzone Privacy Policy
• Boditrax – body statistic analysis – Boditrax Privacy Notice
• Netpulse – creation of online activity profile – NetPulse Privacy Notice
• CoachAI – artificial intelligence coaching – CoachAI Terms & Privacy Policy

If you would like more information regarding these companies and your data please write to the contact referred to later in this document.

Your rights

You have rights as an individual which you can exercise in relation to the information we hold about you.

You can read more about your rights here

Complaints or queries

Halo aspires to the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures.

This privacy notice was drafted with brevity and clarity in mind. It does not provide exhaustive detail of all aspects of Halo’s collection and use of personal information. However, we are happy to provide any additional information or explanation needed. Any requests for this should be sent to the address below.

Access to personal information

Halo tries to be as open as it can be in terms of giving people access to their personal information. Individuals can find out if we hold any personal information by making a ‘subject access request’. If we do hold information about you we will:

• give you a description of it;
• tell you why we are holding it;
• tell you who it could be disclosed to; and
• let you have a copy of the information in an intelligible form

To make a request to Halo for any personal information we may hold you need to put the request in writing addressing it to our Systems and Membership Manager, at the address provided below.

If you agree, we will try to deal with your request informally, for example by providing you with the specific information you need over the telephone.

If we do hold information about you, you can ask us to correct any mistakes by, once again, contacting the Systems and Membership Manager.

This privacy notice does not cover the links within this site linking to other websites. We encourage you to read the privacy statements on the other websites you visit.

Halo App

We store customer data in our Halo App powered by Innovatise.  All data is encrypted in transit and at rest. In addition to the information that you have provided us with, we collect information about your past and future bookings, attendance, purchases and member account history.

We may use this information to contact you in reference to bookings, important customer customer announcements eg cancellation of activities or marketing and promotions.

Legend Leisure Services Ltd and Innovatise will not use your data for any purpose not outlined in this policy.

Changes to this privacy notice

We keep our privacy notice under regular review. This privacy notice was last updated on 3rd February 2025.

How to contact us

If you want to request information about our customer privacy policy you can email us  at YourDataMatters@haloleisure.org.uk or write to:

Systems and Membership Manager
Halo Support Centre

Lion Yard

Broad Street

Leominster

HR6 8BT