01Who we are (data controller)
The data controller is Julian Spiller, trading as Be The Change Fitness, a sole-trader fitness coach based in Wales, UK.
For all data-protection questions, requests, or complaints, contact: contact@bethechangefitness.co.uk.
You can also lodge a complaint with the UK supervisory authority, the Information Commissioner’s Office (ICO), at ico.org.uk or by calling 0303 123 1113.
02What we collect
We only collect what we need to deliver the Services or to comply with a legal obligation. There are three broad categories.
Contact details
- Name (first name, optional surname)
- Email address
- Mobile number (if you give it — used for check-in reminders or, with consent, direct contact)
- Date of birth (used to calculate appropriate calorie/training targets)
Health and fitness data
- Body measurements (weight, waist, hip, chest, arm, leg circumferences as you choose to share)
- Training history, injury history, current medications you have chosen to disclose
- Goals, lifestyle context, and weekly check-in answers (sleep, energy, hunger, stress, training adherence)
- Progress photos (if you choose to send them)
Health and fitness data is treated as “special category data” under Article 9 UK GDPR. We process it on the basis of your explicit consent (given at sign-up) together with performance of the coaching contract. You can withdraw consent at any time — the consequence is we cannot continue delivering coaching that depends on it.
Payment data
- Payment is processed by Stripe (card and recurring) or Klarna (pay-in-3). We see the order summary — amount, currency, package, last 4 digits of the card — but we never see or store the full card number.
- Stripe is PCI DSS Level 1 certified. Klarna is regulated by the Financial Conduct Authority in the UK.
03Lawful bases for processing
| What we do | Lawful basis (UK GDPR Art. 6) | Special-category basis (Art. 9, if applicable) |
|---|---|---|
| Deliver paid coaching | Contract (Art. 6(1)(b)) | Explicit consent (Art. 9(2)(a)) |
| Send transactional emails (receipts, welcome pack, programme delivery) | Contract (Art. 6(1)(b)) | — |
| Send marketing emails (newsletter, free series, offers) | Consent (Art. 6(1)(a)) — you opt in | — |
| Basic site analytics | Legitimate interest (Art. 6(1)(f)) — understanding aggregate use | — |
| Comply with tax and accounting law (HMRC) | Legal obligation (Art. 6(1)(c)) | — |
| Defend or bring a legal claim | Legitimate interest (Art. 6(1)(f)) | Legal claims (Art. 9(2)(f)) |
04Who we share data with (processors)
We use trusted third-party processors. Each is bound by a data-processing agreement and processes data on our instructions only.
| Provider | What they process | Region |
|---|---|---|
| Stripe | Payments & receipts (card, recurring) | Ireland / US (SCCs) |
| Klarna | Pay-in-3 instalments | EEA |
| Brevo (formerly Sendinblue) | Transactional & marketing email | EU (France) |
| Kahunas | Coaching delivery (training plans, check-ins) | UK / EU |
| Netlify | Website hosting & delivery | Global (US) — SCCs in place |
| Calendly | Consultation booking | US (SCCs) |
| Typeform | Application & intake forms | EU (Spain) |
| ManyChat | Instagram DM automation — only if you opt in via a comment-to-DM flow | US (SCCs) |
| HMRC | Statutory reporting where required by UK tax law | UK |
We never sell your data. We do not run paid advertising trackers (such as the Meta Pixel) on this site at the time of writing.
05How long we keep your data
| Data type | Retention period |
|---|---|
| Active client coaching data (programmes, check-ins, measurements) | For the active term of coaching, then archived securely for up to 24 months in case of return or continuity. |
| Transactional and financial records (invoices, receipts, contracts) | At least 6 years from the end of the relevant tax year — required by HMRC. |
| Marketing email list (newsletter, free series subscribers) | Until you unsubscribe, then removed from active sending and held only in suppression for delivery compliance. |
| Application / consultation enquiries that did not convert | Up to 12 months, then deleted. |
| Site analytics | Aggregated, retained no longer than 26 months. |
06Your rights
Under UK GDPR and the Data Protection Act 2018 you have the right to:
- Access — receive a copy of the personal data we hold about you.
- Rectification — correct anything inaccurate or incomplete.
- Erasure (“right to be forgotten”) — ask us to delete your data where we no longer need it for a lawful purpose.
- Restriction — pause processing in certain circumstances.
- Portability — receive your data in a structured, machine-readable format and have it transferred to another provider.
- Objection — object to processing based on legitimate interest, and stop marketing emails at any time.
- Withdraw consent — where processing is based on consent.
- Complain to the ICO — ico.org.uk.
To exercise any of these, email contact@bethechangefitness.co.uk. We will respond within one calendar month, in line with UK GDPR.
07Cookies and analytics
We keep tracking minimal and deliberately avoid aggressive third-party advertising cookies.
- Strictly necessary cookies — used by Netlify and Stripe for site delivery, security, and payment session integrity. These cannot be switched off.
- Functional cookies — for example a local-storage flag holding your first name between pages of the 30 Ways sign-up flow. Not used to identify you across other sites.
- Analytics — aggregate visit counts via Netlify Analytics where enabled. No personally identifying profile is built.
If you do not consent to non-essential cookies, you can use private/incognito browsing or block cookies in your browser settings. Doing so will not affect your access to the free tools or coaching.
08Children
The Services are not directed at people under 18. You must be 18 or over to purchase coaching. The free tools and email series are written for adults; if you are under 18, please use them only with the involvement of a parent or guardian.
09International transfers
Some of our processors (Stripe, Netlify, Calendly, ManyChat) are headquartered in the United States. Where personal data is transferred outside the UK or EEA, the transfer is protected by the UK International Data Transfer Agreement (IDTA) or the European Commission’s Standard Contractual Clauses (SCCs), together with any additional safeguards required by the ICO’s guidance.
You can ask for a copy of the transfer mechanism in place for any specific provider by emailing the address above.
10Security
We apply appropriate technical and organisational measures:
- Encryption in transit (HTTPS / TLS) across all sites.
- Access to client data is limited to Julian Spiller and any future authorised support assistant under a signed confidentiality agreement.
- Payment data is tokenised by Stripe / Klarna; we never hold card numbers.
- Devices used to access client data are protected by passcode / Face ID and full-disk encryption.
11Changes to this Privacy Policy
We update this Policy when our processing changes, when a new processor is added, or when the law changes. The effective date at the top reflects the latest version. Material changes will be flagged to active clients by email at least 14 days in advance.
12Contact
Data-protection contact: contact@bethechangefitness.co.uk
Be The Change Fitness · Julian Spiller · Wales, UK