Privacy Policy

Gymletics Limited is the data controller for any personal information you share with us through this website.

If you have questions about how we handle your data, or want to exercise any of your rights described below, email us.

We collect the minimum personal information needed to sell you products, deliver your orders, and run our business honestly.

Information you give us directly

• Name, email address, phone number, billing and delivery addresses
• Payment information (handled by our payment processors, not stored by us, see Section 5)
• Order history and account preferences if you create a Gymletics account
• Messages, photos, or order details you send us by email or live chat
• Newsletter subscription status if you sign up for our emails

Information we collect automatically when you visit the site

• Device type, browser type, operating system, screen size
• IP address and approximate location (city or country level only)
• Pages you view, how long you spend on them, where you came from, and where you go
• Items added to cart, items removed, checkout abandonment
• Cookie data (see Section 8)

Information we receive from third parties

• Payment confirmation and fraud screening from Klarna, PayPal, Apple Pay, Google Pay, and our card processor
• Delivery status updates from Royal Mail, Evri, and DHL Express
• Engagement data from Meta and TikTok if you reach our site via their advertising platforms

We process your personal information for the following purposes, with the lawful basis under UK GDPR shown for each:

To fulfil your order (lawful basis: contract)

• Process payments
• Confirm and dispatch orders
• Handle returns, exchanges, and refunds
• Respond to customer service enquiries

To run our business (lawful basis: legitimate interests)

• Improve the website and product range based on aggregate usage data
• Detect and prevent fraud
• Keep accounting records as required by HMRC
• Defend any legal claims

To send you marketing (lawful basis: consent, which you can withdraw at any time)

• Newsletters about new products, restocks, and brand updates, only if you've opted in
• Cart-abandonment reminders if you started a checkout but didn't complete it

To comply with our legal obligations (lawful basis: legal obligation)

• Tax records, accounting records, modern slavery reporting, consumer rights compliance

We keep personal information only for as long as we need it:

After these periods expire, we either delete your data or anonymise it so it can no longer be linked back to you.

We share your data only with service providers who help us run Gymletics. Each one is bound by a data processing agreement that limits what they can do with your data.

We do not share your data with anyone outside these categories. We never sell your data. If we add new tools in the future, such as customer review apps or additional marketing platforms, we will update this policy before activating them.

Some of the service providers listed above are based outside the UK, primarily in the United States (Shopify, Google, Meta, TikTok, PayPal, Mailchimp). When your data is transferred internationally, we rely on the following safeguards under UK GDPR:

• UK-US Data Bridge or the EU-US Data Privacy Framework where the recipient is certified
• Standard Contractual Clauses approved by the ICO for transfers to other countries
• Adequacy decisions issued by the UK government for transfers to countries with equivalent protection (e.g. EU member states, Switzerland)

You can request more information about the specific safeguards in place for any transfer by emailing admin@gymletics.com.

A cookie is a small text file stored on your device when you visit a website. We use cookies to make the site work, to understand how it's used, and (with your consent) to show you relevant marketing.

Cookies fall into four categories on our site:

You can manage your cookie consent at any time via the cookie banner on the site (look for the cookie icon in the bottom corner of every page), or by clearing your browser cookies and revisiting.

If you decline non-essential cookies, the site will still work fully. You just won't see personalised ads, and we won't have analytics data about your visit.

For a full list of cookies currently in use, including expiry dates and the third-party providers involved, see your cookie preferences panel.

Gymletics products are sold to adults. We do not knowingly collect personal information from anyone under 16. If you're under 16, please don't submit personal information through this site.

If you believe a child under 16 has provided personal information to us, email admin@gymletics.com and we'll delete it.

We take reasonable steps to protect your personal data:

• The website runs on HTTPS encryption end-to-end
• Payments are processed via PCI-DSS compliant providers (Shopify Payments, Klarna, PayPal)
• Customer account passwords are hashed, not stored in plain text
• Access to customer data within Gymletics is limited to staff who need it for their work
• We review our security practices regularly

No system is 100% secure. We can't guarantee that data transmitted to us over the internet is invulnerable to attack, but we do our best to protect what we hold.

If we ever experience a data breach that affects your personal information, we'll notify you and the ICO within 72 hours of becoming aware of it, as required by UK GDPR.

You'll only receive marketing emails from us if you actively opt in, either by ticking a marketing box at checkout, signing up to our newsletter, or accepting marketing cookies that enable Klarna or Shop Pay communications.

You can unsubscribe at any time:

• Click the "Unsubscribe" link at the bottom of any marketing email
• Email admin@gymletics.com asking us to remove you
• Log into your Gymletics account and update your marketing preferences

Unsubscribing from marketing doesn't affect transactional emails (order confirmations, dispatch notifications, etc.). These are necessary to fulfil your order.

The following sections apply if you're located in specific regions with additional privacy laws.

European Union (EU GDPR)

If you're in the EU, EU GDPR applies to our processing of your personal data in the same way that UK GDPR does. You have the same rights described in Section 7. Your supervisory authority is the data protection authority of your country of residence. Find yours at edpb.europa.eu.

California, USA (CCPA / CPRA)

If you're a California resident, you have additional rights under the California Consumer Privacy Act (as amended by the California Privacy Rights Act):

• The right to know what personal information we collect, use, share, or sell
• The right to delete personal information we hold about you
• The right to correct inaccurate personal information
• The right to opt out of the "sale" or "sharing" of personal information for cross-context behavioural advertising
• The right to limit use of sensitive personal information
• The right not to be discriminated against for exercising these rights

We do not "sell" personal information for money. However, the use of cookies for behavioural advertising (Meta, TikTok) may qualify as "sharing" under California law. You can opt out at any time via the cookie banner. To exercise any other right, email admin@gymletics.com with "California Privacy Request" in the subject line.

Canada (PIPEDA)

If you're in Canada, we process your personal information in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA). You have rights of access and correction, and can submit complaints to the Office of the Privacy Commissioner of Canada at priv.gc.ca.

Australia and New Zealand

If you're in Australia, the Australian Privacy Principles under the Privacy Act 1988 apply to our handling of your data. Complaints can be made to the Office of the Australian Information Commissioner at oaic.gov.au. If you're in New Zealand, the Privacy Act 2020 applies. Complaints can be made to the Office of the Privacy Commissioner at privacy.org.nz.

Japan (APPI)

If you're in Japan, we process your personal information in accordance with the Act on the Protection of Personal Information (APPI). You have rights of access, correction, deletion, and to request a halt to use. The supervisory authority is the Personal Information Protection Commission at ppc.go.jp/en.

Other jurisdictions

If you're located somewhere not covered above and believe your local privacy law gives you rights we haven't addressed, email admin@gymletics.com and we'll work with you in good faith.

We review this policy at least annually and update it whenever there's a material change to how we handle personal data. If we make a significant change, we'll notify you by email (if you're an account holder or newsletter subscriber) and post a notice on the site.

The "Last reviewed" date at the top of this page reflects the most recent update.