Start free trial
Privacy

Privacy Policy

How NattyHawk collects, uses, shares, and protects personal data, and the rights you have under GDPR and US privacy laws.

Last updated: 7 June 2026

This Privacy Policy explains how [LEGAL ENTITY NAME] ("NattyHawk", "we", "us", or "our") handles personal data in connection with the NattyHawk gym member check-in service and the website at www.nattyhawk.com (together, the "Service"). We have written it to meet the requirements of the EU and UK General Data Protection Regulation (GDPR) and of US state privacy laws, including the California Consumer Privacy Act as amended by the CPRA.

This document uses bracketed placeholders such as [LEGAL ENTITY NAME] and [REGISTERED ADDRESS]. They must be completed and the whole policy reviewed by qualified counsel before publication. This page is a strong starting draft, not legal advice.

1.Who we are

NattyHawk is a service that lets gyms and fitness studios check members in with a QR code, manage member records, and view a live dashboard. The data controller responsible for this website and for NattyHawk account holders is:

  • Entity: [LEGAL ENTITY NAME]
  • Registered address: [REGISTERED ADDRESS]
  • Privacy contact: privacy@nattyhawk.com
  • EU and UK representative (where required under Article 27 GDPR): [EU/UK REPRESENTATIVE NAME AND ADDRESS]
  • Data Protection Officer, if appointed: [DPO CONTACT, IF ANY]

2.Our two roles: controller and processor

NattyHawk is sold to gyms (our "Customers"). Our role under data protection law depends on whose data is involved.

Member data belongs to the gym. When a gym uses NattyHawk to manage its members and check-ins, the gym is the data controller and decides why and how that member data is used. NattyHawk acts only as a data processor, handling member data on the gym's documented instructions. If you are a gym member, please direct privacy requests to your gym first. We will support the gym in responding.

For our own account holders (the gym staff who register and sign in) and for visitors to this website, NattyHawk is the data controller. The rest of this policy applies in full to those uses, and applies to member data only to the extent we act on our own behalf (for example, to keep the Service secure).

Where we act as a processor, our handling of member data is also governed by a Data Processing Agreement (DPA) between NattyHawk and the gym, which forms part of our Terms of Service.

3.Information we process

3.1 Member data (we act as processor on behalf of the gym)

Gyms enter and store the following about their members. Most fields are optional and are chosen by the gym:

  • First and last name.
  • Email address and phone number (optional).
  • Membership type, membership start and expiry dates, and status (active or on hold).
  • Internal notes added by gym staff (optional).
  • A member photo (optional), uploaded or captured by gym staff and used for visual identification at the front desk.
  • Check-in records: the QR code value scanned, the date and time of each check-in, and the linked member and code identifiers.
No facial recognition or biometrics. Member photos are stored as ordinary images for staff to recognise members by sight. NattyHawk does not run face detection, does not create facial templates or other biometric identifiers, and does not use photos to identify people automatically. Check-in uses the QR code value only. Where a photo of a member's face is collected, the gym (as controller) is responsible for any consent or notice required under local law.

3.2 Account and website data (we act as controller)

  • Account details: the name and email address of the gym staff member who registers, whether the email is verified, an optional gym name, and an optional avatar image link.
  • Authentication data: a securely hashed password (we never store passwords in plain text), managed through our authentication library. If a gym enables Google sign-in, we receive basic Google account identifiers to create and link the account.
  • Session and device data: session records that keep you signed in, including a session token, an expiry time, the associated gym, and, where captured by the authentication layer, the IP address and browser user-agent of the device.
  • Contact form submissions: if you contact us through the website, your name, gym name, email address, and message. We also use Cloudflare Turnstile, a privacy-preserving anti-spam check, to confirm the form was submitted by a person.
  • Preferences: a light or dark theme preference stored in your browser's local storage. This stays on your device and is not personal data we collect.

We do not use advertising trackers, and we do not run third-party web analytics such as Google Analytics on the Service.

4.How and why we use information, and our legal bases

As a controller under GDPR, we rely on the following legal bases:

  • To provide and operate the Service (create accounts, authenticate sign-in, keep you logged in, deliver core features). Legal basis: performance of a contract, Article 6(1)(b).
  • To keep the Service secure and prevent abuse (manage sessions, detect and block spam and fraudulent activity, protect against unauthorised access). Legal basis: legitimate interests, Article 6(1)(f), and where applicable a legal obligation, Article 6(1)(c).
  • To respond to enquiries you send through the contact form or by email. Legal basis: legitimate interests, Article 6(1)(f), and steps taken at your request before entering a contract, Article 6(1)(b).
  • To maintain, troubleshoot, and improve the Service. Legal basis: legitimate interests, Article 6(1)(f).
  • To comply with law and to establish, exercise, or defend legal claims. Legal basis: legal obligation, Article 6(1)(c), and legitimate interests, Article 6(1)(f).

Where we rely on legitimate interests, we have considered your rights and interests and will provide more detail on request. Where we rely on consent (for example, optional contact preferences), you can withdraw it at any time without affecting prior processing.

We do not make decisions producing legal or similarly significant effects about you using solely automated processing.

5.Cookies and similar technologies

We keep cookie use to the minimum needed to run the Service:

  • Essential session cookie: set when you sign in so the Service can keep you authenticated. This is strictly necessary and cannot be switched off without breaking sign-in.
  • Cloudflare Turnstile: the anti-spam check on the contact form may set short-lived storage to verify a human submission. It is used for security, not advertising.
  • Local storage: your theme preference, stored on your device only.

We do not use advertising, profiling, or cross-site tracking cookies. Because we set only strictly necessary and security technologies, no separate consent banner is required for them in the EU and UK. If this changes, we will update this section and request consent where the law requires it.

6.Sharing and sub-processors

We do not sell personal data and we do not share it for cross-context behavioural advertising. We share data only with service providers who help us run the Service, under contracts that require them to protect it:

  • Cloudflare, Inc. provides our hosting, application runtime, database, file storage (for photos and QR images), and the Turnstile anti-spam check. Personal data in the Service is stored on Cloudflare infrastructure.
  • Google LLC processes basic account identifiers only if a gym chooses to enable Google sign-in. If Google sign-in is not used, no data is shared with Google.
  • Professional advisers, authorities, and successors: we may disclose data to legal or financial advisers, to regulators or law enforcement where required by law, and to a buyer or successor in the event of a merger, acquisition, or reorganisation, subject to appropriate safeguards.

A current list of sub-processors is available on request at privacy@nattyhawk.com.

7.International data transfers

Our infrastructure provider operates a global network, so personal data may be processed in countries outside the European Economic Area and the UK, including the United States. Where data is transferred outside the EEA or UK, we rely on appropriate safeguards under GDPR, in particular the European Commission's Standard Contractual Clauses and the UK International Data Transfer Addendum, together with the supplementary measures our providers maintain. You can request a copy of the relevant safeguards by contacting us.

8.How long we keep data

We keep account and website data for as long as the related account is active, and then for a limited period as needed to meet legal, accounting, security, and dispute-resolution requirements, after which it is deleted or anonymised.

  • Account data: kept while the account is open. After closure, we delete or anonymise it within [RETENTION PERIOD, e.g. 90 days], unless a longer period is required by law.
  • Contact form messages: kept for up to [RETENTION PERIOD, e.g. 24 months] to handle and follow up on enquiries.
  • Member data (as processor): retained for the gym and deleted on the gym's instruction or after the gym's account ends, as set out in the DPA.
  • Security and session logs: kept only as long as needed to secure the Service.

9.How we protect data

We take appropriate technical and organisational measures to protect personal data, including encryption in transit, encryption at rest provided by our infrastructure, hashed passwords, access controls, separation of each gym's data, and least-privilege access for staff. No system can be guaranteed completely secure, but we work to protect data against unauthorised access, loss, and misuse, and we maintain procedures to handle any personal data breach, including notifying regulators and affected people where the law requires.

10.Your rights (EU, EEA, and UK)

If the GDPR applies to you, you have the right to:

  • Access the personal data we hold about you, and receive a copy.
  • Rectify inaccurate or incomplete data.
  • Erase your data ("right to be forgotten") in certain circumstances.
  • Restrict or object to processing, including processing based on legitimate interests.
  • Data portability: receive certain data in a structured, commonly used, machine-readable format.
  • Withdraw consent at any time, where we rely on consent.
  • Lodge a complaint with your local supervisory authority. We would appreciate the chance to address your concerns first.

To exercise these rights, contact privacy@nattyhawk.com. If you are a gym member, please contact your gym (the controller); we will help the gym fulfil your request. We respond within the time limits set by law, normally one month.

11.US state privacy rights

If you are a resident of California or another US state with a comprehensive privacy law (such as Virginia, Colorado, Connecticut, Utah, or Texas), you may have the following rights, subject to that law and verification of your identity:

  • Know and access the categories and specific pieces of personal information we have collected about you.
  • Delete personal information we hold about you, with limited exceptions.
  • Correct inaccurate personal information.
  • Opt out of the sale or sharing of personal information and of targeted advertising. We do not sell or share personal information and do not use it for targeted advertising, so there is nothing to opt out of, but you may still submit a request.
  • Limit the use of sensitive personal information. We do not use sensitive personal information for purposes that trigger this right.
  • Non-discrimination: we will not deny service, charge a different price, or provide a different quality of service because you exercised your rights.

Categories of personal information we collect, as defined by California law, include identifiers (such as name and email), customer records, internet or network activity limited to what is needed for security, and visual information (member photos handled on behalf of gyms). We collect this for the business purposes described in this policy and disclose it only to the service providers listed above. We have not sold personal information in the preceding twelve months.

To exercise US privacy rights, email privacy@nattyhawk.com. You may use an authorised agent, and we may ask for proof of authorisation and verification of your identity. If we deny a request, you may appeal by replying to our response.

12.Children

The Service is intended for gyms and their staff, not for direct use by children. We do not knowingly collect personal data directly from children. Where a gym manages records for members who are minors, the gym is responsible, as controller, for obtaining any consent required by local law. If you believe a child has provided us personal data directly, contact us and we will delete it.

13.Changes to this policy

We may update this policy from time to time. When we make material changes, we will update the "Last updated" date above and, where appropriate, notify account holders. Continued use of the Service after an update means you have read the current version.