Privacy policy

Last updated: 9 May 2026

This is how CaliUnity collects, uses, stores and protects your personal information. We've tried to write it in plain English. If anything is unclear, email hello@caliunity.com and we'll explain it properly.

1. Who we are

CaliUnity CIC ("CaliUnity," "we," "us," or "our") is a Community Interest Company registered in England and Wales. We operate a calisthenics gym, online programmes, and free community projects in Bath.

Registered address: 97-101 Walcot Street, Bath, BA1 5BW, United Kingdom
Contact email: hello@caliunity.com
Website: www.caliunity.com

For the purposes of UK data protection law, CaliUnity CIC is the data controller. This means we decide how and why your personal data is processed. We are registered with the UK Information Commissioner's Office (ICO) under registration number [ICO REGISTRATION NUMBER TO BE INSERTED].

2. The law that applies

We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Where we process the personal data of individuals in the European Economic Area (EEA), we also comply with the EU GDPR.

You can read about your data protection rights at ico.org.uk/your-data-matters.

3. The data we collect

We only collect the data we need to run the gym, deliver our services, and stay compliant with the law. Specifically:

Identity & contact data

• First name, last name, date of birth (where required for membership)
• Email address, phone number, postal address
• Emergency contact name and number (for in-person training)

Health & fitness data

• Information you give us about injuries, pain, medical conditions, pregnancy, or fitness history when relevant to safe coaching
• Goals, progress notes, training history, body measurements (only if you provide them)

Health information is treated as special category data under UK GDPR. We process it only with your explicit consent, and only to coach you safely and effectively.

Financial & transaction data

• Records of memberships, programmes, and products you've bought from us
• Refund and credit history

We do not store your card or bank details. All payments are processed by Stripe, our payment provider. See section 5 for more.

Marketing & communication data

• Your communication preferences (whether you've opted in to emails, SMS, or other updates)
• Your responses to our emails (open and click data, via Mailchimp)

Technical & usage data

• IP address, browser type, device type, operating system
• Pages you visit on our website, time spent, referral source
• Cookies and similar tracking technologies (see section 7)

Data from forms and consultations

• Information you submit through our intake form, contact forms, scholarship application, teen class signup, or free guide downloads
• Notes from your free consultation

4. Why we process your data, and our legal basis

UK GDPR requires us to identify a lawful basis for every type of processing. Here's how that breaks down:

Why we use your data	Our legal basis
To deliver coaching, memberships, and programmes you've bought	Performance of a contract
To process payments and refunds	Performance of a contract
To respond to your enquiries, run consultations, and follow up on form submissions	Legitimate interests (responding to your request)
To coach you safely around injuries, health conditions, or pregnancy	Explicit consent
To send marketing emails and updates	Consent (you can opt out at any time)
To run our website, analyse traffic, and improve the user experience	Legitimate interests / consent (for non-essential cookies)
To run targeted advertising via Meta (Facebook & Instagram)	Consent (via cookie banner)
To process scholarship applications	Explicit consent
To register parental consent for teen class participants	Consent of the parent or legal guardian
To meet our legal, tax, accounting, and regulatory obligations	Legal obligation

5. The third parties we share data with

We never sell your personal data. We only share it with the providers we need to run our business. Each of them is bound by their own data protection obligations.

Provider	What it does	Data shared
Squarespace	Hosts our website and processes form submissions	Anything you submit through the site
Stripe	Processes payments	Name, email, billing address, payment details
Mailchimp	Sends marketing emails and newsletters	Name, email, engagement data
Pipedrive	Our CRM - stores enquiries, consultation notes, and member records	Name, contact details, conversation history, notes
Meta (Facebook & Instagram)	Runs advertising and tracks ad performance via the Meta Pixel	Pseudonymised browsing and conversion data, where consented
Google	Reviews and search visibility	Reviews you publicly post
Our accountants and tax advisors	Statutory accounts, tax returns, audits	Transaction and financial data, where required
Legal authorities	Where compelled by law, court order, or to protect our legal rights	Whatever is required by law

Some of these providers are based outside the UK (for example, Stripe, Mailchimp, and Meta operate from the United States). Where data is transferred outside the UK or EEA, we rely on appropriate safeguards approved under UK GDPR - including the UK International Data Transfer Agreement, the EU Standard Contractual Clauses, or adequacy decisions where they exist.

6. The Meta Pixel

We use the Meta Pixel (a tracking technology from Meta, the company behind Facebook and Instagram) on our website. It allows us to measure the effectiveness of our advertising, understand how visitors use our site, and show you relevant ads on Facebook and Instagram.

The Pixel only runs after you consent via our cookie banner. If you decline, it does not load. You can also opt out of personalised advertising directly through your Facebook and Instagram ad settings, or via youronlinechoices.com.

7. Cookies

Cookies are small text files placed on your device when you visit our website. We use them to keep the site working, understand how it's used, and (with your consent) deliver personalised advertising.

The cookies we use

• Essential cookies: required for the site to function. These are set automatically and cannot be turned off.
• Analytics cookies: Squarespace's built-in analytics, which collect anonymised usage data so we can improve the site.
• Marketing cookies: the Meta Pixel, used to measure ad performance and deliver relevant advertising. Loaded only with your consent.

When you first visit, you'll see a cookie banner where you can accept, decline, or customise your preferences. You can change your choice at any time through your browser settings or by clearing cookies on our site.

8. How long we keep your data

We keep your data for only as long as we need it. Specifically:

• Member records: for the duration of your membership, plus 6 years after it ends (to comply with UK accounting and contract law).
• Health and injury information: for the duration of your membership, then deleted on request or within 12 months of your last session.
• Marketing data (Mailchimp): until you unsubscribe or request deletion.
• Enquiries that didn't become memberships: up to 24 months in Pipedrive, then deleted.
• Financial records (Stripe & accounting): 7 years (to meet HMRC requirements).
• Scholarship applications: for the duration of the scholarship, plus 12 months. Unsuccessful applications deleted within 6 months.
• Teen class consent forms: until the participant turns 18 or stops attending, then 12 months.
• Website analytics: 14 months (Squarespace standard).

9. Children and young people

We run free Saturday teen classes for ages 12-18. We collect personal data for under-18s only with the written consent of a parent or legal guardian, who completes our consent form before the young person attends.

We do not market directly to children. We do not collect data from children under 12. Parents and guardians can withdraw consent and request deletion of their child's data at any time by emailing hello@caliunity.com.

Where we hold safeguarding-relevant information (for example, medical conditions disclosed by a parent), we store it securely and share it only with coaches directly responsible for that young person's safety.

10. Scholarships and sensitive information

Our scholarship programme sometimes involves applicants sharing sensitive information - including injuries, mental health, or financial circumstances. This is special category data under UK GDPR.

We process this information only with your explicit, freely given consent, and only to assess your application and (if successful) deliver the scholarship. It is stored securely in Pipedrive with restricted access, never shared with third parties beyond our coaching team, and deleted within the retention periods set out above.

11. Your rights

Under UK GDPR, you have the following rights:

• The right to be informed - which is what this policy is for.
• The right of access - you can ask for a copy of the data we hold about you.
• The right to rectification - you can ask us to correct inaccurate data.
• The right to erasure ("right to be forgotten") - you can ask us to delete your data, subject to our legal obligations.
• The right to restrict processing - you can ask us to pause certain types of processing.
• The right to data portability - you can ask for your data in a portable format.
• The right to object - you can object to processing based on legitimate interests, including direct marketing.
• The right to withdraw consent - where we rely on consent, you can withdraw it at any time.
• Rights related to automated decision-making - we don't use automated decision-making or profiling that produces legal effects on you.

To exercise any of these rights, email hello@caliunity.com. We'll respond within one calendar month. We may need to verify your identity before acting on your request.

12. How we keep your data secure

We take security seriously. Specifically:

• Our website uses SSL encryption (the padlock icon in your browser) for all data transferred to us.
• Payment data is handled directly by Stripe, which is PCI-DSS compliant. We never see or store your card details.
• Our CRM, email, and storage providers (Pipedrive, Mailchimp, Squarespace, Google Workspace) use industry-standard encryption and access controls.
• Access to personal data inside CaliUnity is restricted to the team members who need it to do their job.
• Sensitive data (health information, scholarship applications, teen consent forms) is stored with restricted access and deleted on schedule.

No system is 100% secure. If we ever have a data breach that is likely to affect your rights, we will notify you and the ICO within the legally required timeframe (72 hours).

13. International data transfers

Some of our providers (Stripe, Mailchimp, Meta) are based in the United States. When your data is transferred outside the UK or EEA, we ensure it's protected by:

• The UK International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses, or
• An adequacy decision recognised by the UK government, or
• The EU-US Data Privacy Framework (where the receiving company is certified).

14. Marketing communications

We only send marketing emails to people who have opted in - either by signing up for a free guide, attending a consultation, or ticking a marketing box on a form. Every marketing email has an unsubscribe link. You can opt out at any time, with no impact on your membership or services.

15. Complaints

If you have a concern about how we handle your data, please email hello@caliunity.com first - we'd rather fix things directly. If you're not satisfied with our response, you have the right to lodge a complaint with the UK Information Commissioner's Office:

16. Changes to this policy

We may update this policy occasionally to reflect changes in our practices or the law. The "last updated" date at the top tells you when it was most recently revised. For significant changes, we'll let active members know by email.

17. Contact us

Questions, requests, or concerns? Email us at hello@caliunity.com or write to: