Gymshark App Privacy Policy

Print

Privacy Notice

(aka how, why and when we use info relating to you!)

What this document does. You and data about you are protected by various laws and guidance and Gymshark are also committed to upholding these and respecting your privacy. This document applies if we process your personal data (i.e. data about you) because you are going to (or currently) use our awesome App. It lets you know about how we collect, use and protect any personal data we collect about you once you have downloaded or streamed a copy of the App on your mobile or handheld device, sets out how we comply with the data protection laws and confirms what your rights are.  Before you install our App, please read through this document and indicate your consent to our processing of your personal data (including your name, contact details, financial and device information) as described in this notice.

Let’s break it down. To make life easier, we have broken down this information into handy chunks, so you can click through to see specific areas.  This Notice provides details about:


WHO WE ARE AND GETTING IN TOUCH

Who we are. In case you have been living under a rock somewhere, the App is offered by Gymshark Limited. We are a company incorporated and registered in England and Wales with company number 08130873. Our main office is at G.S.H.Q. Blythe Valley Park, 3 Central Boulevard, Solihull, United Kingdom, B90 8AB. We are a Data Controller for the purposes of your use of our App registered with the UK Information Commissioner’s Office with registration number ZA317295.

If you have queries/complaints/concerns - give us a shout! If you have any queries regarding your personal data and how it may be used by Gymshark, then you can contact us at mydata@gymshark.com and by post (retro!) at My Data Queries, GSHQ, Blythe Valley Park, 3, Central Boulevard, Solihull, B90 8AB, United Kingdom.

Let us know if things change – we get it, sometimes life moves on.  However, it is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during our relationship with you as soon as possible.

Complaints. We hope there aren’t any- but you always have the right to make a complaint at any time with the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues at Wycliffe House, Water Lane, Wilmslow, SK9 5AF, United Kingdom or other competent supervisory authority of an EU member state if the App is downloaded outside the UK if you believe we have not handled your personal data in accordance with the law.  Further information, including contact details, is available at https://ico.org.uk.

Changes to the privacy policy. We keep our privacy policy under regular review. This version was last updated on 1st May 2020. It may change and if it does, these changes will be posted on this page and, where appropriate, notified to you when you next start the App. The new policy may be displayed on-screen and you may be required to read and accept the changes to continue your use of the App.  Where this will change how we use your data and we have relied on your consent, we will ask you to confirm you are happy for us to process your personal data in this way.

WHAT PERSONAL DATA DO WE COLLECT?

We may collect, store and transfer the following information about you:

  • Identity Data: includes your first name, your last name, App ID, personal or online identifier or alias (or other identifier), title, date of birth, age, Internet Protocol address and gender.
  • Contact Data: addresses (including billing and delivery addresses), and email address.
  • Location Data: includes your current location disclosed by the Apple software (where you are using an Apple device) or the Google software (where you are using an Android device). We do not use separate location tracking software on our App.
  • Marketing and Communications Data: includes your preferences in receiving marketing from us and our third parties and your communication preferences.
  • Transaction Data: includes details about payments to and from you.
  • Usage Data: includes details of your use of our App, where you saw the advert for our App, traffic data and communication data whether this is required for our own billing purposes or otherwise and the resources that you access.
  • Device Data: includes information about the device you use to and the unique device identifier for example your device’s IMEA number, the MAC address of the device’s wireless network interface, or the mobile phone used by the device, mobile network information, your mobile operating system, the type of mobile browser you use, time zone setting and also includes the IP address, device type, usernames and account details
  • Profile Data: includes your user name, in-App purchase history, your interests, preferences, feedback and competition survey responses and any inferences drawn from any of personal data to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behaviour, attitudes, intelligence, abilities, and aptitudes. Correspondence and communications. with us including relating to complaints, allegations, disputes and claims also fall into this category
  • Content Data: includes information stored on your device, including login information, videos, photographs and audio recordings or other digital content, check-ins or your workout data that you input and upload and your social media handles, posts and information about your followers that you tag us in.
  • Special Categories of Personal Data: There are limited situations in which we collect, store and use these “special categories” of more sensitive personal data. Where we do collect any special category personal data, we will do so based on your explicit consent. However, if you don’t consent this may limit certain features that we can provide in respect of the App.

Aggregated Data. We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data could come from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific App feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy policy.  We may use anonymised and aggregated information for purposes that include testing our IT systems, research, data analysis, improving our App and our website and developing new products and services and for other purposes.

Children

Our App and other services we provide are not intended for use by anyone under the age of 18 years and we do not knowingly collect personal data relating to anyone under the age of 18. If you are under 18, sorry kid, you are just not ready for this - please uninstall our App until your 18th birthday! This is because no one under age 18 is authorised to submit or post any information, including personally identifying information, on our App.  Parents or legal guardians of children under 18 cannot agree to these terms on their behalf.

WHERE DO WE GET YOUR PERSONAL DATA?        

Where do we get it from

How do we receive it?

What types of personal data?

You!

This is information that you consent to giving us about you by:

  • filling in forms on the App, or by corresponding with us (for example by email or chat).
  • registering to use and/or downloading our App, subscribing to any of our services, searching for our App or services,
  • making an in-App purchase,
  • when you enter data about workouts you have done, and when you report a problem with an app, our services or any of our sites. 
  • if you contact us, we will keep a record of that correspondence
  • communicate with us regarding one of our App or services, to ask a question, report a problem or for any other reason

Identity Data

Contact Data

 

Profile Data

Transaction Data

Marking and Communications Data

Location Data

Your device

Each time you use our App we will automatically collect personal data. We collect this data using technologies similar to cookies.

Device Data

Content Data

Usage Data

Third Parties and other publicly available sources

Credit reference agencies including those which carry out data cleansing services

Identity Data

Organisations that carry out research and analysis as follows:

  • Appsflyer
  • Mixpanel

Location Data

Device Data

Profile Data

Usage Data

Contact Data

Marketing and Communications Data

Transaction Data

 

Publicly available information, including:

  • Social Medial Platforms including LinkedIn; Instagram, YouTube, Twitter or public Facebook page;
  • Your professional advisors including lawyers, accountants and other advisors; and
  • Government, local authorities or relevant regulators.

 

Identity Data

Profile Data

Contact Data

Organisations that help our App run and also help fix any problems, including:

  • Instabug
  • Blaze
  • Apple (where you are using an Apple device)
  • Google (where you are using an Android device)

Identity Data

Contact Data

Profile Data

 

HOW WE USE YOUR DATA

See below our handy table to show you the purposes that we use each category of your personal data for and the lawful bases that we have for processing each of those types of personal data. 

Purpose/activity

Lawful Basis for processing

To carry out identity checks so we know who we are entering into a contract with

Processing is necessary for the performance of our contract with you.

 

To deal with queries, complaints, claims, legal disputes submitted by you

 

 

We have a legitimate interest to investigate any query claim, complaint or dispute submitted by you

Analysis of your data that we collect and hold, process payments, send communications to our customers, provide us with legal, property or financial advice and generally help us deliver our products and services to you

Processing is necessary for the performance of the contract with you

Data analytics, statistical analysis and other research, including in respect of various data collecting technologies to help us improve our products and services to maintain and improve our services and/or products

 

We have a legitimate interest in improving the online services and/or products we provide and user experience.

To ensure the security of our IT systems and your login details

We have a legitimate interest in ensuring the security of our IT systems and to protect your login details.

Direct marketing and App marketing activities

Your explicit consent

Assisting government, local authorities, relevant regulators and the police in the prevention, detection, investigation of crime, prosecution of offenders and providing relevant information required.

To comply with any legal obligations and regulatory obligations

Keep and maintain appropriate records to ensure we can provide the app and any related services to you, so that we comply with our legal and regulatory obligations, have appropriate records in order to provide the app and any additional services to you and also so we have back-up data. 

To comply with any legal obligations and regulatory obligations.

Content of workout analysis, selecting which workouts to present to you, collecting data of what workouts user undertake, how much they do and whether they undertake similar/different workouts regularly

We have a legitimate interest in improving the online services and/or products we provide and user experience

Building a profile of your interests based on your activities within the App and other information available to use from your purchases and interactions with our website, marketing communications and online adverts, and from our partners such as social media and app store providers.

We have a legitimate interest in improving the online services and/or products we provide and user experience.

Where you decide to provide biometric information (e.g. your height and weight), we will rely on explicit consent.

The app will temporarily store some information about your interaction with the app on your device. The information will be transferred to our secure systems using your telecommunications data or wireless network as soon as possible and once this data is transferred, this data will be deleted from your device

We will rely on your consent to be able to access your device and store (and retrieve) information on it.

 

We will not use your personal data to target, segment, or profile individuals based on health (including pregnancy), negative financial status or condition, political affiliation or beliefs, racial or ethnic origin, religious or philosophical affiliation or beliefs, sex life or sexual orientation, trade union membership, or data relating to alleged or actual commission of a crime,  for any unlawful or discriminatory purpose or in a manner that would be inconsistent with your reasonable expectation of privacy.

IF YOU DON’T WANT GYMSHARK TO HAVE ACCESS TO DATA YOU CONSENTED TO

What to do if you change your mind

For some of your personal data you may have a legal, contractual or other requirement or obligation for you to provide us with your personal data.  If you do not provide us with the requested personal data, we may not be able to properly perform our contract with you or comply with legal obligations and we may have to terminate our relationship.  For other personal data you may not be under an obligation to provide it to us, but if you do not provide it then we may not be able to properly provide you all the functionality of the App or provide any additional services to you.

If you consented to provide us with certain personal data for processing, you may change your mind and withdraw consent at any time by contacting our customer support team at support@gymshark.com but that will not affect the lawfulness of any processing carried out before you withdraw your consent.  We may still be entitled to hold and process the relevant personal data to the extent that we are entitled to do so on a basis other than your consent.  Withdrawing consent may also have the same effects as not providing the information in the first place, for example, we may no longer be able to provide full functionality or certain services to you.

Location Data

You can choose whether you want us to know your country and city in your Apple settings (where you are using an Apple device) or your Google settings (where you are using an Android device).  You can withdraw your consent at any time by disabling Location Data in your settings

Changing Marketing Preferences

You have the right to opt out of receiving marketing communications from us at any time, by:

  1. updating your preferences in the App settings;
  2. informing us that you wish to change your marketing preferences by contacting our customer support team at support@gymshark.com;
  3. making use of the simple “unsubscribe” link in emails; and/or
  4. contacting us via email at mydata@gymshark.com or by post to My Data Queries, GSHQ, Blythe Valley Park, 3, Central Boulevard, Solihull, B90 8AB.

This will not stop service messages such as order updates and other non-marketing communications.

Technologies capturing use

Our App uses technologies to capture personal data such as the browsing and behaviours of people who use our App.

We currently use technologies on our App which relies on implied consent of users.  In recognition of the fact that the implementation date for the revised e-Privacy Regulation remains unknown, we are taking reasonable steps now to align our use of session events the standard of consent required by GDPR. This means that we are in the process of updating the tool, which, by default, requires explicit opt in action by users of our App. This will apply to the non-necessary session tools. We will ensure any necessary session tools for functionality and security are marked so that they are not deleted by the tool.

Detailed information about how we use such technologies in our Cookie Policy. This will allow you to make an informed choice as to whether you wish to accept our use of such technologies.

WHO WE SHARE YOUR PERSONAL DATA WITH

Third Party

What types of personal data

Gymshark Group companies

Usage Data

Purchasers, investors, funders and advisers if we sell or negotiate to sell all or part of our business or assets or restructure our business whether by merger, re-organisation or otherwise

The following data will be Aggregated Data:

Usage Data

Location Data

Identity Data

 

Our professional advisors including lawyers, accountants and other advisors

Identity Data

Contact Data

Location Data

Marketing and Communications Data

Transaction Data

Usage Data

Device Data

Profile Data

Content Data

Other service providers and advisors to us including companies that support our IT, help us analyse the data we hold, process payments, send communications to our customers, provide us with legal, property or financial advice and generally help us deliver our products and services to you, including:

  • Apple (where you are using an Apple device)
  • Google (where you are using an Android device)
  • Instabug Inc.
  • Braze

Identity Data

Contact Data

Marketing and Communications Data

Location Data

Usage Data

Device Data

Profile Data

Content Data

Transaction Data

 

 

Organisations who carry out research, analysis and/or data cleansing services, including:

  • Apps Flyer
  • Mixpanel

Usage Data

Identity Data

Contact Data

Profile Data

Identity Data

Marketing and Communications Data

Special Categories of Personal Data

Location Data

Transaction Data

Governmental bodies, regulators, law enforcement agencies, security services, courts/tribunals and insurers including where we are required to do so in order to comply with our legal obligations and the administration of justice.

Usage Data

Identity Data

Contact Data

Location Data

Profile Data

Content Data

Device Data

Transaction Data

 

HOW WE PROTECT YOUR DATA

Our controls

Gymshark is committed to keeping your personal data safe and secure and so we have numerous security measures in place to protect the loss, misuse and alteration of information under our control.  Our security measures include: -

  • encryption of personal data;
  • regular cyber security assessments of all service providers who may handle your personal data;
  • regular planning to ensure we are ready to respond to cyber security attacks and data security incidents;
  • weekly penetration testing of systems;
  • security controls which protect our IT systems infrastructure and our premises from external attack and unauthorised access;
  • internal policies setting out our data security rules for our personnel; and
  • regular training for our employees.

We take data security very seriously and will use all reasonable endeavours to protect the integrity and security of the personal data we collect about you.

WHAT YOU CAN DO TO HELP PROTECT YOUR DATA

You should always be cautious when sharing your personal data. No one from our company will ever ask you to confirm any bank account or credit card details via email.  If you receive an email claiming to be from Gymshark asking you to do so, please ignore it and do not respond.

If you are using a computing device in a public location, we recommend that you always log out and close the website browser when you complete an online session.

In addition, we recommend that you take the following security measures to enhance your online safety: ­

  • When creating a password, use a difficult word/number combination of at least 8 characters and something that is not easily guessed or something that cannot be easily obtained such as your name, email address, or other personal data that can be easily obtained.
  • Frequently change your password (you can do this in your account settings.
  • Avoid using the same password for different online accounts).

HOW LONG WE KEEP YOUR DATA

We will not retain your personal data for longer than necessary for the purpose for which is has been obtained and then for as long as there is any risk of a potential claim, which will be dependent upon the limitation period for the particular type of claim. Various laws, accounting and regulatory requirements applicable to us also require us to retain certain records for specific amounts of time. In relation to your personal data, we will hold this only for so long as we require that personal data for legal or regulatory reasons or for legitimate organisational purposes. We will not keep your data for longer than is reasonably necessary for the purposes for which we collect them.

INTERNATIONAL TRANSFERS

The personal data we collect may be transferred to and stored in countries outside the UK and the European Union. This will typically occur when service providers are located outside the UK and the European Union or if you are based outside the UK and the European Union.  These transfers are subject to special rules under data protection laws.

Some of these jurisdictions require different levels of protection in respect of personal data and, in certain instances, the laws in those countries may be less protective than the country you live in. We will ensure that your personal data is only used in accordance with this document and applicable data protection laws and is respected and kept secure and where a third party processes your personal data on our behalf we will ensure that one of the following safeguards is implemented:

  • we will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission;
  • where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in the UK and the European Union; and
  • where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between the European Union and the US.

Our directors and other individuals working for us may in limited circumstances access personal data outside of the UK and European Union if they are on holiday abroad outside of the UK or European Union.  If they do so they will be using our security measures and will be subject to their arrangements with us which are subject to English Law and the same legal protections that would apply to accessing personal data within the UK. 

In limited circumstances the people to whom we may disclose personal data as mentioned in the “Who We Share Your Personal Data With” section above may be located outside of the UK and European Union.  In these cases, we will impose any legally required protections to the personal data as required by law before it is disclosed. 

For further details and information, or if you have any queries), please contact us by using the details set out in the “Who we are and getting in touch” section above.

I KNOW MY RIGHTS!

You have the following rights in relation to your personal data:

  • The right to be informed about how your personal data is being used.
  • The right to request access to personal data we hold about you.
  • The right to ask us to update and correct any out-of-date or incorrect personal data that we hold about you.
  • The right to object to processing of your personal data and/or to withdraw any consent you have given us and to opt out of any marketing communications that we may send you.
  • The right to restrict processing of your personal data.
  • The right to object to certain automated decision-making processes using your personal data including profiling.
  • The right to request that we erase your personal data in certain circumstances (the right to be forgotten) for example when the data are no longer necessary for the purpose for which we collected them.
  • California Residents: If you reside in California and have provided personal data to us, you may request information about our disclosure of certain categories of personal information to third parties for their direct marketing purposes.  Such requests must be submitted to us at one of the following addresses: email to DPO@gymshark.com or post to My Data Queries, GSHQ, Blythe Valley Park, 3, Central Boulevard, Solihull, B90 8AB.
  • The right to object to direct marketing and profiling.  You may have the right to opt out of some automated processing, including profiling, at any time by:

    1. informing us that you wish to opt out of automated processing by contacting our customer support team at support@gymshark.com; and/or

    2. contacting us by email to mydata@gymshark.com or post to My Data Queries, GSHQ, Blythe Valley Park, 3, Central Boulevard, Solihull, B90 8AB.The right to have your personal data provided to you by us in a structured, commonly used and machine-readable format and transmitted to another data controller. This is known as the right to data portability.

You should note that some of these rights, for example the right to require us to transfer your data to another service provider or the right to object to automated decision making, may not apply as they have specific requirements and exemptions which apply to them and they may not apply to personal data recorded and stored by us.  However, some have no conditions attached, so your right to withdraw consent or object to processing for direct marketing are absolute rights.

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal data is not disclosed to any person who has no right to receive it.

The law in this area is complex and this document only gives you a general summary of your legal rights in respect of personal data. If you are a keen bean, find out more on the Information Commissioner’s website at https://ico.org.uk/for-the-public/.

If you wish to exercise any of the above rights, you can always contact us using the details set out in the ‘Who we are and getting in touch’ section above.

We aren’t responsible for everyone! Our sites may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. Please note that these websites and any services that may be accessible through them have their own privacy policies and that we do not accept any responsibility or liability for these policies or for any personal data that may be collected through these websites or services, such as contact and location data. Please check these policies before you submit any personal data to these websites or use these services.

Version 1st May 2020