HHPCHereford Human Performance Centre

Legal

Privacy Policy

How Hereford Human Performance Centre (HHPC) collects, uses, retains and protects personal data, in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Last updated: 18 May 2026

1. Who we are (the data controller)

Hereford Human Performance Centre ("HHPC", "we", "our", "us") is the data controller for the personal data described in this policy. For any data-protection enquiry, contact the Director, Justin Jennings, at Info@herefordhumanperformancecentre.com or +44 7747 967461.

We are registered with the Information Commissioner's Office as a data controller. Registration reference: ZC151440.

2. What data we collect

We only collect what is necessary to respond to enquiries and to deliver engagements safely. This may include:

  • Enquiry data — name, organisation, email, phone, and the content of the message you send via the contact form.
  • Engagement data — records relating to a confirmed engagement: scope, planning notes, correspondence, named points of contact, and (where relevant) emergency contacts.
  • Health & fitness data (special category) — only where physical exposure is involved: medical clearance, screening results, baseline fitness data, relevant medical history, and dietary or accessibility requirements.
  • Financial data — invoicing and payment records held as required by HMRC.
  • Technical data — minimal server logs from this website (IP address, browser, timestamps) used to operate the site and protect against abuse. We do not use third-party advertising trackers.

3. Lawful basis for processing (UK GDPR Art. 6)

  • Legitimate interests — to respond to enquiries, manage correspondence, and run the business. You may object at any time.
  • Contract — to deliver an engagement you have entered into with us.
  • Legal obligation — to keep financial, tax and (where required) safeguarding records.
  • Consent — for any optional processing where consent is the appropriate basis, including all processing of health and fitness data (see section 4). Consent may be withdrawn at any time.

4. Health & fitness data (special category) — Art. 9

Health and fitness information is "special category" data and is handled with additional care. We rely on your explicit consent (UK GDPR Art. 9(2)(a)) to process it, given through a signed engagement consent form before any physical exposure begins. The contact form will only ever capture health information if you choose to include it and tick the explicit consent box; we recommend you do not share detailed medical information through the website at the enquiry stage.

Health data is stored separately from general correspondence, access is restricted to the Director and to specialist partners on a strict need-to-know basis, and it is deleted at the end of the retention period set out in section 7. You can withdraw consent at any time, in which case we will cease processing and delete the data, subject only to any overriding legal or insurance obligation that requires retention.

5. How we use your data

  • To reply to enquiries and arrange a confidential conversation.
  • To scope, plan and safely deliver an engagement.
  • To meet our professional, insurance, tax and safeguarding obligations.
  • To protect the security and integrity of this website.

We do not use your data for marketing, profiling, automated decision-making, or sale to third parties.

6. Who we share data with

We share personal data only where necessary and on a confidential basis:

  • HHPC-accredited specialists brought into an engagement, named to you in advance, and bound by equivalent confidentiality obligations.
  • Service providers acting as processors on our behalf — our website and database host (Supabase / Lovable Cloud), our email provider, and our accountant. Each is bound by a written data-processing arrangement.
  • Authorities where we are required to disclose by law (e.g. HMRC, a court order, or a safeguarding referral).

Some processors may host data outside the UK. Where they do, transfers are protected by an adequacy decision or by UK Standard Contractual Clauses / the UK International Data Transfer Addendum.

7. Retention schedule

We hold data only for as long as necessary. Our default retention periods are:

Data categoryRetention periodReason
Website enquiries that do not become engagements12 months from last contactFollow-up & duplicate-enquiry handling
Engagement records (correspondence, planning, scope)6 years after engagement endsLimitation Act 1980 (contract / negligence claims)
Health & fitness data, medical clearance, screening6 years after engagement ends (longer only if required by an insurer or regulator)Duty of care, insurance & professional standards
Safeguarding recordsAs long as required by applicable safeguarding guidanceStatutory & professional obligation
Financial / invoicing records6 years + the current tax yearHMRC requirement
Website server logs30 daysSecurity & abuse prevention

At the end of each period the data is securely deleted or irreversibly anonymised.

8. How we keep your data secure

  • Data is held on a UK/EEA-region database with encryption in transit (TLS) and at rest.
  • Access is restricted to the Director and, on a need-to-know basis, to named specialists.
  • Devices used to access data are protected by strong authentication and full-disk encryption.
  • Health data is held separately from general correspondence with stricter access controls.
  • A breach response process is in place; any qualifying personal-data breach will be reported to the ICO within 72 hours of becoming aware of it, and to affected individuals where required.

9. Your rights

Under the UK GDPR and the Data Protection Act 2018 you have the right to:

  • be informed about how we use your data (this policy);
  • request a copy of the personal data we hold about you (subject access);
  • have inaccurate data corrected (rectification);
  • have your data deleted (erasure / "right to be forgotten"), subject to legal limits;
  • restrict or object to processing, including processing based on legitimate interests;
  • data portability where processing is by consent or contract and carried out by automated means;
  • withdraw consent at any time for any processing that relies on it;
  • not be subject to solely automated decision-making (we do not carry out any).

10. How to make a subject access request

To exercise any of the rights in section 9, including a Subject Access Request (SAR):

  1. Email Info@herefordhumanperformancecentre.com with the subject line "Subject Access Request" (or the right you wish to exercise).
  2. Tell us what you'd like — a copy of your data, correction, deletion, or another right — and any date range or specific data that helps us find it.
  3. We may ask for proof of identity to make sure we don't disclose your data to someone else.
  4. We will acknowledge within 5 working days and respond in full within one calendar month, as required by UK GDPR Art. 12(3). Complex or numerous requests may be extended by up to two further months, and we will tell you if that applies.
  5. There is no fee, unless the request is manifestly unfounded or excessive.

11. Complaints

If you are unhappy with how we have handled your data, please raise it with us first so we can put it right. You also have the right to complain to the UK supervisory authority:

Information Commissioner's Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF — ico.org.uk — 0303 123 1113.

12. Changes to this policy

We will update this policy when our practices change and will note the date of the most recent revision at the top of the page.