1. Introduction to this Policy
1.2. This website is not intended for children and we do not knowingly collect data relating to children.
1.3. We want all our customers to be confident using our Website and our services, and we are committed to ensuring the privacy of all our customers. You should read this Policy carefully as it contains important information about how we will use your Information (as defined below in clause 4.1). In certain circumstances (see below) you will be required to indicate your consent to the processing of your Information as set out in this Policy when you first submit such Information to or through the Website. For further information about consent see clause 8 below.
1.4. We may update this Policy from time to time in accordance with clause 19 below. This Policy was last updated on 5th July 2018.
2. About us
2.1. The terms “Gloden” or “us” or “we” refer to Gloden Limited, the owner of the Website and provider of the services. We are a company registered in England and Wales under company number 03123994 whose registered office is at 16 High Street, Axbridge, Somerset, BS26 2AF. The term “you” refers to the individual accessing and/or submitting Information to the Website.
2.2. We, as the Data Controller, can be contacted via our representative via email on firstname.lastname@example.org or call 0800 652 9280.
3. Data Protection
3.1. References in this Policy to:
3.1.1. “Privacy and Data Protection Requirements” means: the Data Protection Act 2018 (“DPA”) and the General Data Protection Regulation 2016/679 (“GDPR”) or any equivalent provision which may replace the GDPR following the formal political separation of the United Kingdom from the European Union; the Regulation of Investigatory Powers Act 2000; the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (SI 2000/2699); the Electronic Communications Data Protection Directive (2002/58/EC); the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2426/2003); and all applicable laws and regulations which may be in force from time to time relating to the processing of Personal Data and privacy, including where applicable the guidance and codes of practice issued by the Information Commissioner or any other supervisory authority, and the equivalent of any of the foregoing in any relevant jurisdiction; and
3.1.2. “Personal Data”, “Data Controller” and “Data Processor” and “processing” shall have the meanings given to them in the DPA or, from 25 May 2018, the GDPR.
3.2. For the purposes of applicable Privacy and Data Protection Requirements, we (Gloden Limited) are a Data Controller and therefore we are responsible for, and control the processing of, your Personal Data in accordance with applicable Privacy and Data Protection Requirements. “Personal Data” has a legal definition but, in brief, it refers to information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. Such information must be protected in accordance with applicable Privacy and Data Protection Requirements.
4. Information we may collect about you
4.1. When you use the Website and/or when you otherwise deal with us we may collect the following information about you (“Information”):
4.1.1. Personal information including first and last name, date of birth, photograph and/or likeness;
4.1.2. Contact information including current residential address, primary email address and/or primary phone number;
4.1.3. Banking information including banking details, account name, account number;
4.1.4. Genetic heritage, and skin type;
4.1.5. Whether you are pregnant, taking any prescribed medication, or information about your medical history and any medical conditions, skin conditions that may affect you, or any past adverse reaction to sunlight, and details of any medical advice given in this regard (“Health Data”);
4.1.6. Technical information including IP address, operating system, browser type and related information regarding the device you used to visit the Website, the length of your visit and your interactions with the Website;
4.1.7. Information obtained through our correspondence and monitoring in accordance with clause 4.2 below; and
4.1.8. Details of any enquiries made by you through the Website, together with details relating to subsequent correspondence (if applicable).
4.3. Occasionally we may receive information about you from other sources such as any third-party websites and applications that integrate or communicate with the
Website in relation to you. If so, we will add this information to the information we already hold about you in order to help us carry out the activities listed below
5. How long we keep your information
5.1. Subject to clause 5.2, we will keep your Information only for the purposes set out in the table below for:
5.1.1. Unless you ask us to delete it, where the legal basis for the processing is that it is necessary for the performance of the contract between us, or where that is not applicable, for the legitimate interests that we pursue we will keep your member Information for 2 years following your last purchase;
5.1.2. we will process your payment information for the time it takes to process your purchase for the contract between us, after each payment has been processed we will retain the payment information for a period of 2 years, after which, we will no longer retain this information;
5.1.3. We will process your special category data (See table in clause 7.1) for the purpose of assessing your suitability for tanning. We will retain electronic copies of this information (plus hard copies of spray tan and Ifit client cards) for a period of 2 years after the date of the last visit. Other hard copies of information (i.e. skin type analysis forms) will be shredded within two months; or
5.1.4. until consent is withdrawn (whichever is sooner), where the legal basis is express consent, i.e. for marketing.
5.2. If required, we will be entitled to hold Information for longer periods in order to comply with our legal or regulatory obligations.
6. Legal basis for processing your information
6.1. From 25 May 2018, under applicable Privacy and Data Protection Requirements we may only process your Information if we have a “legal basis” (i.e. a legally permitted reason) for doing so. For the purposes of this Policy, our legal basis for processing your Information is set out in the table below.
Why we will process your Information
The legal basis for which is...
Where you want to set up an account with us, we process your Information to set up and manage your membership account. This will include sending you emails confirming your membership and other necessary administrative information.
To be able to provide you with our services we will need to process your Information as well as any Health Data to check your suitability for tanning.
To allow us to provide you with our tanning services, we will need to process payment information to allow you to pay for any purchases you make, whether in store or via our Website, namely via the payment kiosk.
Inform you about and provide you with our other services.
To investigate and address any comments, queries or complaints made by you regarding our services, and any similar or related comments, queries or complaints from other members.
To comply with UK legislation, such as the Sunbed (Regulations) Act 2010 we have to check that our customers are over the age of 18 when using UV tanning equipment. It is our policy to ask any customer who looks under 25 to present photo identification.
This is necessary to comply with our legal obligations (for example, the Sunbed (Regulations) Act 2010), the performance of the contract between us or in order to set up a contract between us and Information is processed to enable us to do so, for example, for you to use one of our sunbeds and we need to check your suitability before we can provide our services to you. Where there is no contract between us, the processing is necessary for the legitimate interests we pursue (or those of a third party), subject to you raising an objection under clause 16.6, requiring us to check that our interest in the processing is not overridden by the resulting risk to your rights and freedoms.
You can ask us to delete your information by emailing us on email@example.com.
Where required by (but not limited to) any request or order from law enforcement agencies and/or HMRC in connection with any investigation to help prevent unlawful activity.
To comply with our legal obligations, including obligations relating to the protection of Personal Data.
To disclose your information to selected third parties as permitted by this Policy (see 11 below).
This is necessary for the performance of the contract between us or in order to set up a contract between us and Information is processed to enable us to do so, for example, for you to use one of our sunbeds and we need to check your suitability before we can provide our services to you. Where there is no contract between us, the processing is necessary for the legitimate interests we pursue (or those of a third party), subject to you raising an objection under clause 16.6, requiring us to check that our interest in the processing is not overridden by the resulting risk to your rights and freedoms.
Where required, this processing will be subject to your consent – where it will be given separately - for that particular purpose (for which see clause 16.6 below).
Inform you about other member benefits, including offers available from Gloden. See Marketing and Opting Out in clause 9.
We send out marketing communications based on our legitimate interests of providing our services and keeping people informed about the services we offer. We will only contact you via your personal email address if:
(i) you have given your consent (see 'Marketing and opting out' in clause 9 below); or
(ii) you have previously bought goods or services from us and we are contacting you to let you know about similar goods and services that we offer (see 'Marketing and opting out' in clause 9 below).
You have the right at any time to let us know that you no longer wish to receive marketing communications from us.
7. Special category data
We will also obtain special category data about you (for example, Health Data) if you wish to use our services. We will process this information based on the table below:
Special Category Data
The legal basis for which is...
The separate condition for processing is…
Processing, including, but not limited to, storing, recording, Health Data or other data that reveals racial or ethnic origin. We process this data to be able to check your suitability to tanning. We also need to be able use this information to accurately advise you on a tanning treatment plan.
As a responsible operator and members of The Sunbed Association, we need to ensure that your medical history and skin type make you suitable for your treatment of choice. We need to ensure there are no contra-indications to UV tanning/red-light therapy/vibration training/ spray tanning. If you are not suitable, we cannot offer you such services.
We also need to be able use this information to accurately advise you on a tanning treatment plan. This is necessary for the performance of the contract between us or in order to set up a contract between us and Information is processed to enable us to do so, for example, for you to use one of our sunbeds and we need to check your suitability before we can provide our services to you. Where there is no contract between us (for example, you are thinking of using one of our sunbeds, the processing is necessary for the legitimate interests we pursue (or those of a third party), subject to you raising an objection under clause 16.6, requiring us to check that our interest in the processing is not overridden by the resulting risk to your rights and freedoms.
We will only process this data so long as we have legal basis to do so, but this processing will also be subject to your explicit consent - where given separately - for this specific purpose.
7.2. You can ask for a copy of your special category data at any time.
8. Your consent to processing
8.1. As noted above, you will be required to give consent to certain processing activities before we can process your Information as set out in this Policy. Where applicable, we will seek this consent from you when you first submit Information to or through the Website.
8.2. If you have previously given consent you may freely withdraw such consent at any time. You can do this by notifying us in writing via email to firstname.lastname@example.org.
8.3. Except in the case of special category data (please see clause 8.4 below), if you withdraw your consent, and if we do not have another legal basis for processing your information (see clause 6 above), then we will stop processing your Information. If we do have another legal basis for processing your information then we may continue to do so, subject to your legal rights, which see in clause 16 below.
8.4. In the case of special category data, if you withdraw your consent, then we will stop processing your Information in relation to that specific purpose.
8.5. Please note that if we need to process your Information in order to operate the Website and/or provide our services, and you object or do not consent to us processing your Information, the Website and/or those services may not be available to you.
9. Marketing and opting out
9.1. Where you have previously purchased products or services from us we may contact you by telephone, SMS, email and post about similar or related products, services, promotions and special offers that may be of interest to you. We will inform you (during the sale process) if we intend to use your data for such purposes and give you the opportunity to opt-out of receiving such information from us. In addition, and if you have given permission, we may also contact you by telephone, SMS and email about our other products, services, promotions and special offers that may be of interest to you. We will inform you (before collecting your data) and seek your permission if we intend to use your data for such additional marketing purposes. If you prefer not to receive any direct marketing communications from us, or you no longer wish to receive them, you can opt out at any time (see below).
9.2. If you have given permission, we may contact you by mail, telephone, SMS and email to provide information about products, services, promotions, special offers and other information we think may be of interest to you. We will inform you (before collecting your data) if we intend to use your data for such purposes. If you would rather not receive such marketing information from us, or you no longer wish to receive it, you can opt out at any time.
9.3. You have the right at any time to ask us to stop processing your information for direct marketing purposes. If you wish to exercise this right, you should contact us by sending an email to email@example.com, giving us enough information to identify you and deal with your request. Alternatively you can follow the unsubscribe instructions in emails you receive from us.
10. Automated decision making
10.1. We carry out an online skin type assessment on the Website, which asks customers a series of questions. Based on your responses, the software automatically produces a skin type score. If the skin type is 1, you will not be suitable for sunbed use, and you will be informed of this at the time. The results are recorded against your details on our system. We may offer you alternative services, such as a spray tan.
10.2. You can request a manual review of the accuracy of an automated decision if you are unhappy with it.
11. Disclosure of your information
11.1. We may disclose your Information (including Personal Data):
11.1.1. to other companies within our group of companies (which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 1159 of the UK Companies Act 2006);
11.1.2. to our business partners, service providers or third-party contractors to enable them to undertake services for us and/or on our behalf (and we will ensure they have appropriate measures in place to protect your Information), for example, our technical support agency, our web agency, our IT company and marketing and branding agencies;
11.1.3. to any prospective buyer or seller (and their represenatives) in the event that we sell or buy any business or assets;
11.1.4. if we are under a duty to disclose or share Personal Data in order to comply with any legal obligation, including (but not limited to) any request or order from law enforcement agencies and/or HMRC in connection with any investigation to help prevent unlawful activity; and
11.1.5. to other third parties if you have specifically consented to us doing so.
11.2. We may disclose aggregated, anonymous information (i.e. information from which you cannot be personally identified), or insights based on such anonymous information, to selected third parties, including (without limitation) analytics and search engine providers to assist us in the improvement and optimisation of the Website. In such circumstances we do not disclose any information which can identify you personally.
11.3. If our whole business is sold or integrated with another business your Information may be disclosed to our advisers and any prospective purchasers and their advisers and will be passed on to the new owners of the business.
12. Keeping your Information secure
12.1. We will use technical and organisational measures in accordance with good industry practice to safeguard your Information, including the use of data encryption.
12.2. While we will use all reasonable efforts to safeguard your Information, you acknowledge that the use of the internet is not entirely secure and for this reason we cannot guarantee the security or integrity of any Information that is transferred from you or to you via the internet.
We may monitor and record communications with you (such as emails) for the purposes of provision of services, quality assurance, training, fraud prevention and compliance purposes. Any information that we receive through such monitoring and communication will be added to the information we already hold about you and may also be used for the purposes listed in clause 6 above.
14. Overseas transfers
14.1. From time to time we may need to transfer your Information to countries outside the European Economic Area, which comprises the EU member states plus Norway, Iceland and Liechtenstein (“EEA”).
14.2. Such countries may not have similar protections in place regarding protection and use of your data as those set out in this Policy. Therefore, if we do transfer your Information to countries outside the EEA we will take reasonable steps in accordance with applicable Privacy and Data Protection Requirements to ensure adequate protections are in place to ensure the security of your Information.
14.3. By submitting your Information to us in accordance with this Policy you consent to these transfers for the purposes specified in this Policy.
15. Information about other individuals
If you give us information on behalf of a third party, you confirm that the third party has appointed you to act on his/her/their behalf and has agreed that you can: give consent on his/her/their behalf to the processing of his/her/their Information; receive on his/her/their behalf any data protection notices; and give consent to the transfer of his/her/their Information abroad (if applicable)
16. Your rights
If you are an individual, this section sets out your legal rights in respect of any of your Personal Data that we are holding and/or processing. If you wish to exercise any of your legal rights you should put your request in writing to us (using our contact details in clause 22 below) giving us enough information to identify you and respond to your request.
16.1. You have the right to request access to information about Personal Data that we may hold and/or process about you, including: whether or not we are holding and/or processing your Personal Data; the extent of the Personal Data we are holding; and the purposes and extent of the processing.
16.2. You have the right to have any inaccurate information we hold about you be corrected and/or updated. If any of the Information that you have provided changes, or if you become aware of any inaccuracies in such Information, please let us know in writing giving us enough information to deal with the change or correction.
16.3. You have the right in certain circumstances to request that we delete all Personal Data we hold about you (the ‘right of erasure’). Please note that this right of erasure is not available in all circumstances, for example where we need to retain the Personal Data for legal compliance purposes. If this is the case, we will let you know.
16.4. You have the right in certain circumstances to request that we restrict the processing of your Personal Data, for example where the Personal Data is inaccurate or where you have objected to the processing (see clause 16.6 below).
16.5. You have the right to request a copy of the Personal Data we hold about you and to have it provided in a structured format suitable for you to be able to transfer it to a different data controller (the ‘right to data portability’). Please note that the right to data portability is only available in some circumstances, for example where the processing is carried out by automated means. If you request the right to data portability and it is not available to you, we will let you know.
16.6. You have the right in certain circumstances to object to the processing of your Personal Data. If so, we shall stop processing your Personal Data unless we can demonstrate sufficient and compelling legitimate grounds for continuing the processing which override your own interests. If, as a result of your circumstances, you do not have the right to object to such processing then we will let you know.
16.7. You have the right in certain circumstances not to be subject to a decision based solely on automated processing, for example where a computer algorithm (rather than a person) makes decisions which affect your contractual rights. Please note that this right is not available in all circumstances. If you request this right and it is not available to you, we will let you know.
16.8. You have the right to object to direct marketing, for which see clause 9.3 above.
If you have any concerns about how we collect or process your Information then you have the right to lodge a complaint with a supervisory authority, which for the UK is the UK Information Commissioner’s Office (“ICO”). Complaints can be submitted to the ICO through the ICO helpline by calling 0303 123 1113. Further information about reporting concerns to the ICO is available at https://ico.org.uk/concerns/.
18. 'Cookies' and related software
18.1. Our software may issue ‘cookies’ (small text files) to your device when you access and use the Website and you will be asked to consent to this at the time (e.g. when you first visit our website). Cookies do not affect your privacy and security since a cookie cannot read data off your system or read cookie files created by other sites.
18.3. You can set your system not to accept cookies if you wish (for example by changing your browser settings so cookies are not accepted), however please note that some of our Website features may not function if you remove cookies from your system. For further general information about cookies please visit www.aboutcookies.org or www.allaboutcookies.org.
19. Changes to this Policy
19.1. We keep this Policy under regular review and may change it from time to time. If we change this Policy we will post the changes on this page, and place notices on other pages of the Website as applicable, so that you may be aware of the Information we collect and how we use it at all times. You are responsible for ensuring that you are aware of the most recent version this Policy as it will apply each time you access the Website.
19.2. This Policy was last updated on 5th July 2018.
20. Links to other websites
20.1. Our Website may contain links to other websites. This Policy only applies to our Website. If you access links to other websites any Information you provide to them will be subject to the privacy policies of those other websites.
- We have no control over third party websites or systems and accept no legal responsibility for any content, material or information contained in them. Your use of third party sites or systems will be governed by the terms and conditions of that third party. It is your responsibility to ensure you are happy with such third-party terms and conditions.
- The display of any hyperlink and/or reference to any third-party website, system, product or service does not mean that we endorse that third party's website, products or services and any reliance you place on such hyperlink, reference or advert is done at your own risk.
This Policy aims to provide you with all relevant details about how we process your Information in a concise, transparent, intelligible and easily accessible form, using clear and plain language. If you have any difficulty in reading or understanding this Policy, or if you would like this Policy in another format (for example audio, large print or braille), please get in touch with us.
22. Contact us
We welcome your feedback and questions on this Policy. If you wish to contact us, please email us at firstname.lastname@example.org or call on 0800 652 9280.