BlocHaus Climbing Ltd is committed to protecting personal data in accordance with the Data Protection Act 2018 (DPA 2018) and the UK General Data Protection Regulation (UK GDPR). This Privacy Policy explains how we collect, use, store, and share your personal data, and outlines your rights.

 

1. Why We Collect Personal Data

We collect personal data in order to:

• Operate and administer our indoor climbing facilities safely and effectively

• Manage memberships, bookings, waivers, and participation agreements

• Communicate with you about bookings, events, updates, or emergencies

• Process transactions and maintain accurate financial records

• Send marketing communications (only with your consent)

• Conduct recruitment and hiring activities

• Collect feedback through surveys to improve our services

Some information (e.g., emergency contacts, medical/safety information) is required for safety and cannot be withheld. Other data, such as marketing preferences or voluntary survey responses, is collected only with your consent.

 

2. Legal Bases for Processing

We rely on one or more lawful bases under UK GDPR:

• Contractual necessity: Memberships, bookings, participation in activities

• Legitimate interests: Facility administration, CCTV security, communications, safeguarding, business operations, recruitment, fraud prevention

• Consent: Marketing, newsletters, cookies, and certain medical information

• Vital interests: Protecting health or safety in emergencies

• Legal obligation: Accident reporting, accounting records, safeguarding duties

 

3. Sources of Personal Data

We may collect personal data from the following sources:

3.1 Direct Interactions

• Information you provide in person, online, via email, phone, social media messages (Instagram/Facebook), participation agreements or surveys

3.2 Third-Party Service Providers

• Rock Gym Pro (RGP)

• SmartWaiver (integrated with RGP)

• Stripe (payments)

• SendGrid (automated booking emails)

• Brevo (marketing emails)

• Wix and Google Forms (surveys)

• NICAS (youth programme registrations)

• Indeed and other recruitment platforms used for hiring

3.3 Public Sources

• Content you make publicly available online, including social media posts

3.4 Automated Website Data

• Cookies, IP addresses, device/browser information, and page interaction data

 

4. Types of Personal Data Collected

We may collect the following categories of personal data from members, visitors, participants, job applicants, and other individuals.

4.1 Personal Identification & Contact Information

• Full name, date of birth, address, postcode, email address, phone numbers

• Emergency contact details

• Signature or digital confirmation of terms and agreements

• For under-18s: parent/guardian details, relevant medical information

4.2 Photographs

• Verification photos: Used for identity confirmation at check-in (stored on RGP)

• Promotional photographs: Only used with explicit consent

4.3 Website Interactions, Cookies & Correspondence

• IP address, device type, browser type, location, page interactions

• Data from cookies, website forms, emails, or social media messages

• Feedback provided through surveys (Wix or Google Forms)

4.4 Transactions & Account Activity

• Payment history, billing information (processed by Stripe)

• Purchase records, membership activity, facility usage

• We do not have access to full card numbers or CVV codes

4.5 CCTV Footage

• Recorded without sound; retained for 30 days unless required longer

4.6 Incident & Safety Information

• Accident/incident reports

• Medical information voluntarily provided or required for safe participation

4.7 Recruitment Data

Collected through CVs, cover letters, applications via Indeed or other job sites, and interview notes:

• Employment history

• Qualifications and certifications

• References

• Right-to-work documentation (if required at offer stage)

Note: Employee data is handled separately under the Staff Privacy Notice.

 

5. How We Use Your Data

Your data may be used to:

• Operate and administer the climbing centre and membership system

• Process bookings, payments, and participation agreements

• Manage safety, safeguarding, and incident reporting

• Provide customer support and respond to enquiries

• Communicate updates, changes, or emergency information

• Deliver marketing communications (with consent)

• Analyse participation trends and improve services

• Conduct recruitment and hiring activities

 

6. Third-Party Services & International Transfers

We use trusted third-party providers to process personal data on our behalf:

• Rock Gym Pro (US): Membership & POS system (SCCs/UK Addendum)

• SmartWaiver (US): Digital waivers integrated into RGP (SCCs/UK Addendum)

• Stripe (UK/US): Payment processing (PCI DSS compliant)

• SendGrid (US): Automated booking and confirmation emails (SCCs/UK Addendum)

• Brevo (UK/EU): Marketing email platform

• Wix (Israel): Website forms (UK adequacy decision)

• Google Forms (EU/US): Surveys and feedback forms (SCCs/UK Addendum)

• NICAS (UK): Only name and DOB for eligible youth participants

• Indeed / recruitment platforms: Applicant data submission

We do not sell personal data. All third parties are contractually required to comply with UK GDPR.

 

7. Data Retention

Data is retained as follows:

• Membership & account data: Retained for the duration of your membership and indefinitely thereafter for legal and safety purposes

• Waivers & participation agreements: Retained indefinitely as evidence of consent

• Transactions & billing records: Retained indefinitely for accounting and audit purposes

• Medical/emergency information: Retained indefinitely or until consent is withdrawn

• CCTV footage: 30 days unless required longer

• Recruitment data: Retained indefinitely unless the applicant requests deletion or removes their information from third‑party recruitment platforms (e.g., Indeed). We may retain applications received via email or recruitment platforms for reference in future hiring unless a deletion request is made.

• Marketing consent: Retained until withdrawn (suppression list maintained)

All data is stored securely with access restricted to authorised personnel.

 

8. Children & Youth Programmes

• Parental/guardian consent required for under-18s

• Medical and emergency details collected only as needed for safe participation

• NICAS registration includes only name and date of birth

 

9. Your Rights Under UK GDPR

You have the right to:

• Access your personal data

• Request correction of inaccurate or incomplete information

• Request erasure where appropriate

• Restrict processing in certain circumstances

• Object to processing (including marketing)

• Withdraw consent at any time

• Request data portability

• Object to automated decision-making

• Lodge a complaint with the ICO

Some requests may be limited by legal or contractual obligations.

 

10. Security

We apply appropriate technical and organisational measures, including:

• Encrypted digital storage (via RGP and other providers)

• Secure storage of paper documents (e.g., incident reports)

• Role-based access for staff

• Staff GDPR and data protection training

• Regular security reviews

 

11. Cookies & Website Use

Our website uses cookies for:

• Strictly necessary: Essential for functionality

• Analytical / functional / marketing: Only used with consent

You may manage cookie settings through your browser or our website’s cookie banner.

 

12. Policy Updates

This policy is reviewed regularly by the DPO. Updates will be posted on our website or communicated where appropriate.

 

 

13. Questions or Complaints

 

Data Protection Officer:
Richard Wainwright
Email: richard@blochausclimbing.com | Tel: 0161 231 8898

 

Supervisory Authority (ICO):
Information Commissioner’s Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Email: registration@ico.org.uk | Tel: 0303 123 1113