Privacy Policy

Version 3: Last updated May 2026

This policy (together with our terms and conditions and any other documents referred to in it) describes how we collect and use your personal data during your use of the University Sports Facilities, our webpages, mobile application and our customer relations software.

The University of Oxford is committed to protecting the privacy and security of your personal information (‘personal data’).  This policy describes how we collect and use your personal data in accordance with the General Data Protection Regulation (GDPR) and associated data protection legislation.

Section A: Who is using your personal data?

The University of Oxford is the “data controller" for the information that we collect when you visit the website. This means that we decide how to use it and are responsible for looking after it in accordance with the GDPR.

Access to your personal data within the University will be provided to those staff who need to view it as part of their work in connection with the operation of the website. It will also be shared with the third parties described in Section E.

Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it. We may update this policy at any time.

Section B: Glossary

Where we refer in this policy to your ‘personal data’, we mean any recorded information that is about you and from which you can be identified. It does not include data where your identity has been removed (anonymous data).

Where we refer in this policy to your ‘protected characteristic data’ we mean any recorded information volunteered by you which to specific personal attributes defined by the Equality Act 2010, including age, disability, gender reassignment, marriage and civil partnership, pregnancy and maternity, race, religion or belief, sex, and sexual orientation, which are legally protected from discrimination, harassment, or victimization in employment and other contexts.

Where we refer to the ‘processing’ of your personal data, we mean anything that we do with that information, including collection, use, storage, disclosure, deletion or retention.

Section C: Types of data we collect about you

C1: From our website

We will automatically collect, store, and use the following categories of data when you browse and search our website, if you have consented to our use of cookies:

  • technical information, for example, the type of device (and its unique device identifier) you use to access our site, the Internet protocol (IP) address used to connect your device to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system, mobile network information and platform; and
  • information about your visit to our site including the full Uniform Resource Locators (URL), clickstream to, through and from the website (including date and time), pages you viewed, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page.

C2: For our customer relationship management system

All data is stored on UK based data centres.

C2.1: Personal Data

For Oxford staff and Oxford students that use you use Single Sign on to login, we will inherit basic characteristics from the federated SAML Shibboleth.

For all users will be issue a unique Member number (a Relation ID).

We recognise users by photograph, which our team will capture on your first visit, which also allows us to ensure that your card cannot be used by other if lost or stolen. We will of course collect your given name, a contact email address and phone number as a minimum.

Where we need to undertake a ‘Know Your Customer’ check relating to payments, we may also require your registered home address and postcode.

Some customers requesting a concessionary price will be asked to upload a document with proof of eligibility, your choice of document may include personal data we will hold while your membership is active.

C2.2: Sensitive Data categories

We may ask customer to volunteer sensitive data categories for the purpose of our better targeted campaigns to widen participation in sport, physical activity and leisure for underrepresented groups.

C2.3: Sensitive Health data

We may collect any health-related data you provide us with when you sign up for health services, so that your progress can be tracked by yourself and by us. That may for personal training or physiotherapy services. Those data may include heart rate data, nutritional requirements, blood pressure, mental wellbeing scale assessments, health MOTs, or other sports treatments history information.

We may ask for information about your health only where you engage with specific services to recommend appropriate exercise and physical or mental health improvement plans.

C2.4: Payment data

We will hold a record of financial transactions against your user account for up to 7 years, your transaction log shows dates, times and amounts paid. If you make a payment at the till without logging into your account, we would be unable to link that payment to you personally.

We process bank card information at the time we take payment in order to administer our services. At no point will our team ask for your bank details, please do not offer your card details to us.

Payment over the phone is made using a secure phone payment service Pay guard, so that our team so not need to see or record you payment card information.

Payments made online or in person (chip & pin or contactless) are made via our partner Adyen. You may choose when paying online to save your card details for ease of payment via your mobile phone operating system or with Adyen. If you change your mind on that service, contact you mobile provider or Adyen direct. But it will not be possible to hold a pay monthly membership without saved payment information with Adyen.

Card data will never be collected or stored by the University, but is processed under Payment Card Industry Standard Data Security Standard banking systems.

Financial data used during in-app purchases is not stored or processed by University of Oxford, but transacted solely through Adyen or Apple / Google Pay. Any purchases, refunds or cancellations bought through in-app purchases are administered by Adyen or Apple / Google and not by University of Oxford.

C2.5: Feedback

To improve our services, we will record customer comments, surveys and occasionally correspondence via a multiple platform’s detailed below.

Where any phone calls are recorded for training purposes, you will be informed of that on the outset of the call.

C2.6: Other sensitive data

We sometimes may solicit voluntary data on ethnicity and other sensitive data categories in order aggregated reports for statistical purposes and is always kept secure. However, these are voluntary data fields, if you change your mind you can ask us to remove that data.

C2.7: Information about website visits including IP addresses

We can use your IP address to capture information about website visits, so we can learn more about our customers use of our website.

C2.8: Your communication preferences

We keep a record of any permissions you give us about what types of communication you are happy to receive from us.

We have three options you can manage via www.OnlineShop.Sport.Ox.Ac.Uk

  • Notifications: Communications that relate to purchases, booking and cancellation preferences, facility updates.
  • Newsletters: Communications that relate to general news, not specific to your membership or purchases.
  • Offers: Communications that relate to special offers that maybe unrelated to your specific membership package.

We have never and will not solicit third party direct marketing to our users.

You can always update you communication preferences under “My Profile” via the online shop platform or mobile app.

C2.9: Email tracking

We may use email tracking tools in order to ascertain the whether an email we have sent you may have been opened and which links in that email were used.

We may store that information in order to ensure our communication is impactful.

C2.10: Closed circuit television (CCTV)

We use CCTV throughout our premises for health and safety monitoring and your security. It is also used in our swimming pool hall to help detect users struggling or drowning in the water.

CCTV footage maybe shared the police or other statutory bodies in the event of an incident, and it can only be accessed by authorised personal such as security serviced of the head of department.

CCTV footage is retained for 30 days, unless called upon as evidence as part of a formal investigation; in which case it will not be retained more than 30 days after the collusion of that investigation. In the case of criminal investigations, copies maybe passed to the Police and entered into evidence.

Our Poseidon anti-drowning system is used to detect potential drowning down to a depth of 2.5 meters, the pool is monitored from above. Dual overhead cameras provide a complete helicopter view of the pool. Footage from this system is retained not more than 30 days after the conclusion of an investigation. In the case of criminal investigations, copies maybe passed to the Police and entered into evidence.

Section D: Cookies

The University of Oxford has a specific policy on Cookies from our websites which can be viewed here:

www.ox.ac.uk/cookies-privacy-policy

Section E: Data relating the children and vulnerable adults

While the majority of our services are available for customers aged 16 and over, we may accept registrations in our CRM system for children in specific circumstances, such as the provision of taught sports courses or summer camps, or for the purposes of ticketing and access control.

Where we are the coaching authority for the session, we may record your child’s progress in that sport against national governing body age or ability related standards.

Children under 16 years old must have a parent or guardians’ consent before holding an account with us involving data sharing. We do not wish to collect any personal information without consent; for this reason, remote website or app enrolment is limited to those whose date of birth places them over the age of 16.

We will not deliberately market to children aged under 16 years.

Proof of identity including age maybe required and a copy document retained on the user’s account.

Section F: Principles of how we protect your data.

  • We maintain secure systems to protect your personal information.
  • We respect your wishes about how we contact you, and by what method.
  • You are able to update your information or preferences readily in the app, or when you ask us to make changes in writing.
  • We will respond fully to any subject access requests.
  • We will not hold your personal information for longer than is necessary or for legitimate purposes
  • We will follow strict procedures when storing or handling information that you have given us. With encryption for payment and password data.
  • We will never sell or your personal information to a third party.

Section G: Data Storage and access

We (the University of Oxford) are the ‘data controller’ for your personal data. Which means we decide how to use it and are responsible for looking after it in accordance with the General Data Protection Regulations and associated data protection laws. Access to your data will be provided only to those who need to view it as part of their work in carrying out the purposes described above.

Your data will be held in UK data centres only. There are no current procedures or processes that require your data to be moved outside of the UK or European Economic Area.

Were we to begin to provide any new service that would need data transfer to another jurisdiction, we would contact you to re-issue our Privacy policy and give you the opportunity opt in to services.

Where data is not needed for a legal or statutory purpose, we will delete this information if you request that.

You also have the option to be anonymized under your account profile, under “The right to be forgotten” which will remove you from the database if you have no active memberships or upcoming bookings. To re-join in future, you then require a fresh account / data record.

Section H: Services and partnerships with third party contractors in support of your services here,

We may share your data with companies who provide services to us. These companies are required to take appropriate security measures to protect your data in line with our policies. We do not allow them to use your data for their own purposes. We permit them to process your data only for specified purposes and in accordance with our instructions. Where we share your data with a third party, we will seek to share the minimum amount necessary.

H1: Our third-party service providers are

Third-Party and hyperlink to their privacy policy

Service provided in brief

Delcom

(From 29th June 2026) Leisure management software, we use storage and processing your personal and sensitive data related to contracts for your memberships, subscriptions, bookings and sports organisation management, communication preferences, with upstream integration for Shibboleth SSO (OU Staff and Students)

Adyen

Processing of your card payments via their platforms, with tokenised receipts only back to Delcom.

Les Mils

Where you opt in for Virtual fitness classes, they would require your mobile number for text authentication for login.

Innovatise GmbH

Where you opt in for Virtual fitness classes, they would require your mobile number for text authentication for login. Use of Google analytics, meta ads conversion tracking.

MyZone

Where you opt in to use MyZone, you supply direct to them data necessary to build our online fitness community to recognise and reward effort.

InBody

Where you opt to use blood pressure or bioelectrical impedance testing, you can do so anonymously. You can also create an account with InBody with which to record your metrics over time. They can use a minimum of your mobile number for text authentication for login.

Gladstone MRM

(Until 31 October 2026) Leisure management software, we use storage and processing your personal and sensitive data related to contracts for your memberships, subscriptions, bookings and sports organisation management, communication preferences.

Verifone

(Until 31 July 2026) Processing of your card payments via their platforms, with tokenised receipts only back to Gladstone.

Flywire (formerly WPM)

(Until 31 July 2026) Processing of your card payments via their platforms, with tokenised receipts only back to Gladstone Join@Home Portal

Bottom line technologies

(Until 1st July 2026) Direct debit processing via BACS

GB Group plc

(Until 31 July 2026 Address verification and bank details validation

Oxford University Colleges Please refer to the specific college site.

Where your college subscribes you to a corporate deal, they will have limited permission access to act as an organisation secretary to approve or remove your corporate membership access. They will also have access to aggregated anonymized attendance and absence reporting.

Oxford University Sports Clubs Please refer to the specific college site.

Where your University Sports club subscribes you to a member, whether paid directly through Delcom or simple to tokenise membership for access control, they will have limited permission access to act as an organisation secretary to approve or remove your corporate membership access. They will also have access to aggregated anonymized attendance and absence reporting.

Playwaze

The data you give to Oxford University is not shared with Playwaze/ However, we are able to access the data you do share with Playwaze. Playwaze is the BUCS platform used for competitions management and also UNIversal Gym membership.

Our Sports Federation use data from Playwaze to notify competing organisations of sports team line ups, so all organisations competing are confident that athletes fielded are eligible.

Should you access either of those services you will need to opt in and enrol to the Playwaze platform.

Kicklocker

We will share only publicly available & advertised email addresses for organisation secretaries that organise and run sports teams, requiring team kit or other merchandise to make introductions between sales representatives and incoming club committee secretaries.

Team Buildr

Our Blues Performance scheme utilise Team Buildr to manage group, team and individual training programs, tracking workout history over time to monitor athletic improvement. Use of this service is only via specific additional opt in should you enrol onto the platform.

Your Personal Training

We direct customers to our licensed third-party to access Personal Training services. We do not share any data with Your Personal Training.

Les Mils virtual classes

In order to provide you with access to Les Mils virtual classes via a mobile app, it is necessary to supply your mobile phone number upon access request. There is no data required to attend in person streamed classes.

The Iffley Club Cafe

We will share only publicly available & advertised email addresses for organisation secretaries that organise and run sports teams, that may require catering services to support their home events. To make introductions between sales representatives and incoming club committee secretaries.

H2: Health partners

Where we operate services on behalf of Occupational Health, in partnership with Local Authorities, NHS clinical commissioning groups or trusts, or directly such as Physiotherapy and Sports Massage. Data may be shared with those organisations at a summary level but not a personally identifiable level, unless you have told us we may do so through other explicit consent. For any health-related services, with your explicit additional consent we may share identifiable information with your referrer, which maybe GP and NHS services (Health MOTs), or our Moving Minds project (Core-10 or SWEMWBS assessments).

Where services are delivered by our own staff, any case data about your account or services will be held as a secure record on your customer account.

Should any health service at a future data be outsources to another third-party operator, they would inherit access to the health data to allow the continuance of the services. For any new partner to become a data controller or processors, that handover would require your repeat consent to a new privacy policy setting out that new partner organisation and their details.

Section I: Marketing partners

We will never sell your personal information to any third party for marketing or other purposes.

In some cases, we work in partnership with another organisation to provide marketing services to you. In these cases, the partner may contact you for marketing purposes if you have given the us your permission to do so through your opt ins.

Where photography or filming is taking place onsite for the purposes of sports marketing or by spectators the department requires those filming to seek permission of the general manager in advance.

The University provides specific guidance on photography and filming which is adhered to by our staff and any suppliers of services which we may engage.

Section J: How we use your information

We use your information to help us provide and improve our services for you. We may use your information in the following ways.

  • To provide you with any services that you have purchased or receive as part of a health or other scheme
  • To check your identity
  • To check your eligibility where appropriate
  • To update our records with any new information you give us
  • To notify you if we will be unable to provide a service you have booked before (if you have given us your permission)
  • To provide marketing communications (if you have given us your permission)
  • For research and analysis so we can develop and improve our services for your benefit (if you have given us your permission)
  • To tailor our communications to you to ensure relevance (if you have given us your permission)
  • To comply with legal requirements.
  • To safeguard users of our services

Section K: Keeping you updated

There are certain communications we need to send to you so we can provide our services.

We call these operational communications and include for example notices about your upcoming monthly payments, password reset, registration confirmations, appointment reminders and waiting list announcements. We would not be able to provide you with services if we did not send these.

We may from time to time contact you about our services or products we think you might find interesting by email, by post, telephone or SMS, but only if you have given us your permission to do so.

If you buy a service from us for a fixed period of time with a specific end date, such as an annual membership, we will contact you at the appropriate time to tell you that the service is coming to an end and how you can renew.

If you do not want us to contact you other than for service emails let us know on reception@sport.ox.ac.uk or via login via your account www.OnlineShop.Sport.Ox.Ac.Uk

Section L: Your data rights

L1: Accuracy

We will always try to ensure the data we hold about you is accurate and relevant. If you believe the information, we hold about you is out of date or incorrect, please tell a member of staff or see the contacting us section below. You will need a form of identification to request any changes.

L2: Seeing your data

You have the right to know what personal information we hold about you. This is called a Subject Access Request.

L3: Removing your data

If you no longer use our services and products and wish us to delete your personal data, we will do this if there are no legal or statutory regulations requiring us to keep this information.

L4: Withdrawing consent

If we are relying on consent to process your data, you may withdraw your consent at any time by contacting us.

L5: Security

Your data will be held securely in accordance with the University’s policies and procedures. Further information is available on the University’s Information Security website: https://www.infosec.ox.ac.uk.

L6: Retaining your data

We will only retain your data for as long as we need it to fulfil our purposes, including relating to legal, accounting or reporting requirements.  OUS’s data retention policy is as follows:

  • OU Students: one year after you cease to be an OU student, or q year after your membership expiry.
  • OU Staff and External members: one year after expiry of your membership
  • Blues Awards records: indefinitely

We store and use your data in both a manual and electronic form.  Where you enrol in person, via a paper form, a paper copy of your membership form is stored securely on site only until the data is used for input to our customer relationship management system. All document data is stored securely onsite in locked offices and locked containers in the UK. The University contract for destruction of physical data is held by Select Environmental, who transfer secure waste to destruction.

Data is held only in UK data centres.

L7: Data provided by other University Departments

For Oxford University students, some of the recombinant information above is imported from the University’s Student Records system to understand our impact on widening participation.

Section M: Complaints about how we manage your data

If you are not happy about the way we manage your data, please contact us as quickly as possible by contacting your centre or usual contacts for providing our service.

In the first instance you can contact our local team using reception@sport.ox.ac.uk for any formal or informal enquires, that could include a suspected data breach, please alert us. That can be passed to the relevant manager and allows for a local cessation of data use without awaiting any cascade of communications from other departments.

Freedom of Information requests are possible by approaching the University via foi@admin.ox.ac.uk However, if you’re only requesting information on your own data just get touch with us on reception@sport.ox.ac.uk for a subject access request.

A subject access request can also be made via data.protection@admin.ox.ac.uk – however they will need to contact the sports department to action that request, and we would need therefore to share your personal data with the data protection team before they can share than onward to you, as they do not have any day-to-day access to your personal data.

The University has a specific complaints policy relating to information compliance which you can use if you are unhappy with any initial response from the sports department.

You may also as a final escalatory step write to the ICO is the UK’s independent authority set up to uphold information rights. You have the right to contact them should you wish. Details can be found on their website: https://ico.org.uk/

Section N: Contacting us

We include the below summary of contact details contained in this policy:

Reception@Sport.Ox.Ac.uk for any general queries

Data.Protection@Admin.Ox.Ac.Uk for a formal subject access request

FOI@Admin.Ox.Ac.Uk for a freedom of information request