Privacy Notice

This Privacy Notice relates to personal data processed and stored by Surrey Sports Park. Surrey Sports Park is a wholly owned subsidiary of the University of Surrey, which runs the sports facilities for students, staff and public members. We are registered as a data controller with the Information Commissioner’s Office and are committed to ensuring that the personal data we process is handled in accordance with data protection legislation. We have a Data Protection Officer, who can be contacted via dataprotection@surrey.ac.uk

This Privacy Notice is designed to protect you, our users by informing you how personal data is collected, how we look after that data and with whom we share it. Surrey Sports Park and the University of Surrey are committed to complying with the General Data Protection Regulation (GDPR).

WHAT PERSONAL DATA DO WE COLLECT AND WHY?

What personal data we collect from you depends on what you are doing when you visit us. For members we need to collect more personal data than for people who make the occasional visit.

PERSONAL DATA THAT WE COLLECT

• When you join us we will collect your name, date of birth, contact information and a limited amount of heath information.
• Your University student contact information including: current university card number, URN, student postal address, mobile and home number, student email address, DoB, gender, nationality, Emergency Contact name and number, Department code, Course name, University Status (eg, Current, Graduated etc).
• If you are not a member and make a booking here then we will need to collect your name, postal address, email address, date of birth and either a mobile or landline number.
• For all members and non-members bookings, individuals will be assigned a unique identifier which is used across our booking system to allow us to manage your use of our facilities.
• If you contact us by email, via the website, in person or by telephone we may keep a record of your contact information and enquiry and may subsequently use your contact details to respond to your enquiry.
• If you pay for your membership via Direct Debit we will collect your name, your bank’s name, account number and sort code details.
• We may also need to process your own / your child’s / family member’s personal data to protect your vital interests, for example, where we may have reason to believe that you or another person may suffer harm.
• When you sign up for any camps or courses using our platform, we collect your name, gender, DoB, Email and phone number. We also collect your child’s name, gender, DoB, Email, home number and address. This information is used for registers and for marketing future camps/courses.
• Surrey Sports Park may use Eventbrite to allow our customers to register/purchase tickets to a number of events. This includes events run by Team Surrey or any other event that is run by Surrey Sports Park.  We may collect your name, email address, postal address and payment method in order to process your order and provide you with tickets to events. This data may be used for future marketing.

WHY DO WE COLLECT AND PROCESS YOUR PERSONAL DATA?

We collect and process your data for the following purposes:

USE OF OUR FACILITIES

• We use your personal data so that you can use our facilities and for us to keep records of the process.
• We process your personal data if you have a contract with us. The most common form is when you have a membership with us to allow us to meet the terms of the contract that exists between us. This will include us collecting direct debit payments if you pay via this method.
• We are required by legal obligation to keep information about accidents which may occur at Surrey Sports Park and this will include personal data.

DETAILS OF YOUR TRANSACTIONS

• We collect data for any transactions you carry out through our website and directly on our premises so that we can administer the services you have with us. Please note that we never store your payment card details on our website or in our database.

BANKING

• If you pay for your membership through a Direct Debit mandate we need to store your bank account number, sort code, bank name and account name. This data is hosted within the University of Surrey’s Azure cloud tenant and with our software provider Legend by Xplor.
• We process payment card (credit card or debit card) information at the time we take payment. This data is not stored on our system (Legend by Xplor). When you pay via a Direct Debit we share this data with a third party (Bottomline) to process your payment on our behalf. The data shared with Bottomline includes; member name, BACS reference number, member number, account number, sort code, name on account and bank name.

CUSTOMER FEEDBACK & SURVEYS/RESEARCH

• We will record customer comments about how we are performing.
• We will process the information that you provide with your consent when you take part in a survey or research. These surveys enable us to provide you with a better service.

YOUR COMMUNICATIONS PREFERENCES

• We keep a record of any permissions and preferences you give us about what types of
  communication you are happy to receive from us.

HOW DO WE LOOK AFTER YOUR PERSONAL DATA?

• We maintain our systems in a secure environment, limiting access to your personal data to
  those who need it to provide our services to you.
• We will contact you according to your preferences.
• We will update your personal data or preferences promptly when you ask us to.
• We will let you see what personal data we hold about you when you request it.
• We will never sell your personal data to a third party.
• We will ensure that all personal data is held within the EEA (European Economic Area).

 RETENTION AND STORAGE

• We keep your personal data in line with our retention schedule. We only keep data for as long as we need to be able to.
• The data that Surrey Sports Park hold is hosted within the University of Surrey’s Azure cloud tenant and with our software provider Legend by Xplor.

SERVICES PROVIDED BY CONTRACTED THIRD PARTIES

We share your personal data externally with the following third parties;

• Our parent company, the University of Surrey
  • We use the University of Surrey to process Direct Debit payments. This uses
    external systems to allow Direct Debit payments to be validated and submitted –
    these are provided by Bottomline and BACS.
  • We use the University of Surrey access control system to limit access to various parts of our site (e.g. the swimming pool) to those members and guests who are eligible to use the facility. Where access is granted we send your name, email, member identifier, member card number and membership type to the University to enable this to be implemented.
  • We use the University of Surrey to invoice to individuals and to make payments to individuals who are suppliers of ours.
• The University of Surrey Students Union.
  • For our members who have a University of Surrey Student membership, we will provide a list of members to the Students
    Union to ensure that all students taking part in Team Surrey activities have a Surrey Sports Park membership.
• Legend by Xplor – to support our Leisure Management System (LMS). There will be
  times when they have access to the system for upgrades, enhancements and problem
  resolution.
• MailChimp – to send emails to our members and guests. You can withdraw consent
  for us to send you marketing emails at any point. Access to the data held in MailChimp is restricted to only those who need use it as part of their job.
• 4Global to allow us to manage the members and guest data. Access to the data held in 4Global is restricted to only those who need to use it as part of their job.
• University of Surrey IT department – to support any IT related issues that you may have with your account.
• HubSpot
  • HubSpot CRM to manage the information we hold on you
  • HubSpot Marketing to send marketing and service emails / surveys to our members and guests, where you have given us your consent to do so. You can withdraw consent at any point.
  • HubSpot Service to assist you with any issues you have at Surrey Sports Park, including online enquiries, membership queries, etc
  • Access to the data held in HubSpot is restricted to only those who need use it as part of their job.

MARKETING PARTNERS

• We will never sell or give your personal data to any third party for marketing or other purposes. Subject to your consent we may send you information we think you may be interested in receiving.

HOW DO WE USE YOUR PERSONAL DATA?

• We use your personal data to help us provide and improve our services for you. We may use your personal data in the following ways:
  • to provide you with any services that you have purchased
  • to check your identity
  • to validate your eligibility for memberships and activities
  • to check that our copy of your personal data is correct
  • to enable payment to be made
  • to let you know about any changes to an existing booking
  • to provide marketing communications, subject to your consent
  • for research and analysis so we can develop and improve our services for your benefit
  • to meet any legal obligations
  • To enable you to take part in any of our promotional activities

KEEPING YOU INFORMED

• There are some communications that we will need to send to you as part of our service to you. Without these we would not be able to provide you with our services – examples of these include changes to passwords, confirmation of bookings, welcome emails upon sign – up, changes to opening hours, notification of major events that may impact you visiting us and notices about any direct debit payments.
• For all other communications with ourselves you can choose if you want to receive them. All of our emails allow you to unsubscribe from any email sent by us to that email address. You can also opt out by contacting us directly either via email, phone and when visiting us. Details are provided in the contacts section.

YOUR RIGHTS TO MANAGE YOUR PERSONAL DATA

As an individual whose data we process (a data subject), you have certain rights in relation to the processing.

You have the right to:

• Withdraw your consent in circumstances where we are processing your personal data on that basis;
• Ask us to confirm that your personal data is being processed and to access (i.e. have a copy) of that data as well as to be provided with supplemental information about the processing;
• Request that we rectify any inaccuracies where the data we hold on you is inaccurate or incomplete;
• Have your data erased by us, although in certain circumstances we may not be able to do this, for example, where we must comply with a legal obligation or in managing your health and social care;
• Restrict the processing of your personal data in certain ways;
• Obtain your personal data for reuse;
• Object to certain processing of your personal data.

To exercise any of these rights, please contact: dataprotection@surrey.ac.uk

If you have any concerns about the way that we have handled your personal data please contact us as we would like to have the opportunity to resolve your concerns.  If you’re still unhappy, you have the right to lodge a complaint with the Information Commissioner’s Office. Please see their website at: https://ico.org.uk/make-a-complaint/.

Hydrow

SSP have a Hydrow machine in their gym. Hydrow stores data in the US. Please see Hydrow’s privacy policy for more details.

Review

This Privacy Notice is due for review by the end of July 2025.

Like many other websites, we use small text files (called cookies) which are stored on your browser to perform a variety of functions. Below is some information covering the types of cookies our website uses and why.

INFORMATION ABOUT WEBSITE VISITS INCLUDING IP ADDRESS

The IP address is your computer’s individual identification number. We use your IP address to capture information about website visits so we can learn more about how our customers use the website in order to find ways to improve the website and our products and services for your benefit.

We may occasionally add Facebook pixels to certain pages of our website in order to collect information about your visit such as what pages you visited and what action was taken. This could entail us capturing information on which browsers have visited our site and then re-using that information for re-targeted advertising on other sites. This process helps us to track the value and accuracy of our marketing activities. No personal data is obtained from this process.

ANALYTICS COOKIES

We use Google analytics to track how people find and use our website. We use this information to identify how well this site is working, which areas are performing well and what areas could potentially be improved. This information is gathered anonymously and stored by Google.

CONVERSION TRACKING COOKIES

We spend money on various online marketing channels (like Google Adwords). To monitor the performance of our marketing efforts we sometimes use conversion tracking cookies associated with specific actions (eg signing up to our newsletter) so we can measure how effective each marketing avenue has been.

EMBEDDED VIDEO COOKIES

Sometimes we embed videos from other websites such as vimeo.com on our website. When we embed a video this allows the video provider to also set cookies on your browser. In most cases they will be using cookies to gather information which will allow them to improve their service. For more up to date information about specific cookies check with the video provider.

SOCIAL MEDIA COOKIES

We try to be as active as possible on various social media platforms and as such use a number of social media tools on this website. Each tool and plugin will be able to set cookies on your browser. For the most up to date information about specific social media cookies please check with the social media website in question.