1. Introduction

Crusader 9 Boxing ("we", "us", "our") is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and share your information when you use any of our services, including:

• Our marketing website at crusader9.co.uk
• The member web app at app.crusader9.co.uk
• The Crusader 9 Boxing mobile app (available on iOS and Android)

This policy complies with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. By using any of our services, you agree to the collection and use of information as described in this policy.

2. Who We Are

Crusader 9 Boxing is the data controller responsible for your personal data. If you have any questions about this policy or how we handle your data, please contact us at info@crusader9.co.uk.

3. Information We Collect

3.1 Information you provide directly

When you register for a membership or use our services, we may collect:

• Full name, email address, phone number, and date of birth
• Profile photograph (required for membership identification and gym access)
• Emergency contact name and phone number
• Medical notes relevant to your participation in physical activity
• Parental or guardian details (for members under 18)
• Authorised collector information (for collecting minor members)
• Membership waiver and consent records (including timestamps)
• Payment information — processed securely via Stripe; we do not store card details

3.2 Information collected automatically

When you use our website or apps, we may automatically collect:

• Device type, operating system, and app version
• Login timestamps and session activity
• Class bookings, PT session bookings, and check-in records
• Push notification tokens (used to send notifications to your device)
• Apple Wallet and Google Wallet pass usage

3.3 Information from third parties

We receive limited information from the following third-party services:

• Stripe — payment status, subscription status, and customer identifiers
• Apple and Google — push notification delivery confirmations
• Expo (EAS) — mobile app delivery and push notification routing

4. How We Use Your Information

We use your personal data for the following purposes:

• To create and manage your membership account
• To process subscription payments and day pass purchases
• To allow gym entry via QR code scanning at the front desk
• To manage class bookings, PT session bookings, and day passes
• To issue digital membership cards via Apple Wallet and Google Wallet
• To send transactional emails (welcome, booking confirmations, payment receipts, payment failure alerts)
• To send push notifications about your account, bookings, or gym announcements
• To maintain safeguarding records for minor members
• To comply with our legal obligations
• To improve our services and resolve technical issues

5. Legal Basis for Processing

We process your personal data under the following legal bases:

• Contract — to fulfil your membership agreement and provide the services you have purchased
• Legitimate interests — to manage gym operations, maintain security, and improve our services
• Legal obligation — to maintain records required by law
• Consent — for marketing communications and optional data processing (you may withdraw consent at any time)
• Vital interests — in emergency situations where we need to share health information with medical professionals

6. Data Sharing

We do not sell your personal data. We may share your data with:

• Stripe — for payment processing and subscription management
• Postmark — for transactional email delivery
• Expo (EAS) — for mobile app push notification routing
• Apple and Google — for Wallet pass issuance and push notification delivery
• Our staff — for gym management and safeguarding purposes

All third-party providers are required to process your data securely and only for the purposes we specify. We do not share your data with third parties for their own marketing purposes.

7. Data Retention

We retain your personal data for as long as necessary to provide our services and comply with our legal obligations:

• Active member data — retained for the duration of your membership
• Membership records — retained for 7 years after membership ends for legal and financial compliance
• Payment records — retained for 7 years in accordance with HMRC requirements
• Waiver and consent records — retained for the duration of membership plus 7 years
• Minor member records — retained until the individual reaches 25 years of age or 7 years after the last activity, whichever is later
• Push notification tokens — deleted when you uninstall the app or your membership is cancelled

When your data is no longer needed, it is securely deleted or anonymised.

8. Your Rights

Under UK GDPR, you have the following rights regarding your personal data:

• Right of access — you can request a copy of the data we hold about you
• Right to rectification — you can ask us to correct inaccurate or incomplete data
• Right to erasure — you can ask us to delete your data in certain circumstances
• Right to restrict processing — you can ask us to limit how we use your data
• Right to data portability — you can request your data in a portable format
• Right to object — you can object to processing based on legitimate interests
• Rights related to automated decision-making — we do not use automated decision-making that produces legal or similarly significant effects

To exercise any of these rights, please contact us at info@crusader9.co.uk. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

9. Data Security

We take appropriate technical and organisational measures to protect your personal data, including:

• All data is stored on secure servers in the UK
• Member profile photographs are stored as encrypted data in our database
• All data transmitted between your device and our servers is encrypted using HTTPS/TLS
• Access to personal data is restricted to authorised staff only
• Payment card data is never stored by us — all payments are handled by Stripe's PCI-compliant infrastructure
• Push notification tokens are stored securely and used only for delivering notifications to your device

10. Children's Privacy

We provide gym memberships to members under 18 (minors) with the explicit consent of a parent or guardian. For minor members:

• A parent or guardian must register and consent on behalf of the minor
• Parental consent timestamps are recorded at registration
• Medical notes and authorised collector information may be stored for safeguarding purposes
• Minor member accounts are linked to the parent's account and subject to additional safeguarding controls
• When a minor member turns 18, their account can be converted to an independent adult account

We do not knowingly collect data from children under 13 without verifiable parental consent.

11. Cookies and Tracking

Our marketing website (crusader9.co.uk) may use cookies for basic functionality and analytics. Our member web app (app.crusader9.co.uk) uses session cookies for authentication purposes only.

Our mobile apps do not use web cookies. They use secure local storage for authentication tokens only.

We do not use third-party advertising or tracking cookies.

12. Push Notifications

If you install our mobile app, we may request permission to send you push notifications. We use push notifications to:

• Notify you of booking confirmations and reminders
• Alert you to payment issues with your subscription
• Send gym announcements and updates

You can disable push notifications at any time through your device's notification settings. Disabling notifications will not affect your membership or access to the app.

13. Digital Wallet Passes

If you add your membership card to Apple Wallet or Google Wallet, your pass contains your name, membership ID, plan type, and a QR code. This information is used solely for gym access verification. No payment information is included on your digital pass.

Apple and Google handle the storage and display of your Wallet pass on your device in accordance with their own privacy policies.

14. International Transfers

Your data is primarily stored and processed in the United Kingdom. Some of our third-party service providers (including Stripe and Expo) may process data in the United States and other countries. Where data is transferred outside the UK, we ensure appropriate safeguards are in place in accordance with UK GDPR requirements.

15. Changes to This Policy

We may update this Privacy Policy from time to time. When we make significant changes, we will notify you via email or a notice in the app. The date at the top of this policy indicates when it was last updated. Continued use of our services after changes are posted constitutes your acceptance of the updated policy.

16. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or the way we handle your personal data, please contact us:

You also have the right to make a complaint to the Information Commissioner's Office (ICO):

• Website: ico.org.uk
• Helpline: 0303 123 1113