THINKOFIT

Policies & Compliance

Thinkofit Ltd is committed to protecting the privacy, safety, and rights of everyone we work with.

Policy Version: 1.0  ·  Initial Issue: 03/03/2026  ·  Authored by: Anthony Dias
Data Protection Policy Security Policy

Policy Statement

Thinkofit Ltd is committed to protecting the privacy and personal data of employees, clients, contractors, visitors, and any other individuals whose data we process.

UK GDPR
Data Protection Act 2018
Privacy & Electronic Communications Regulations (PECR)
Human Rights Act 1998
ICO CCTV Code of Practice

Scope

This policy applies to all of the following:

Employees
Visitors
Contractors
IT Systems
Cloud Services
Paper Records
CCTV Systems

Data Protection Principles

Thinkofit Ltd adheres to the seven UK GDPR principles:

1.

Lawfulness, fairness and transparency

Data must be processed lawfully, fairly and in a transparent manner.

2.

Purpose limitation

Data must be collected for specified, explicit and legitimate purposes.

3.

Data minimisation

Data collected must be adequate, relevant and limited to what is necessary.

4.

Accuracy

Data must be accurate and, where necessary, kept up to date.

5.

Storage limitation

Data must not be kept longer than necessary for its stated purpose.

6.

Integrity and confidentiality

Data must be processed securely to prevent unauthorised access or loss.

7.

Accountability

The data controller is responsible for and must demonstrate compliance.

Lawful Basis for Processing

We process personal data under the following lawful bases:

Consent
Contractual necessity
Legal obligation
Legitimate interests
Vital interests
Public task (where applicable)

Data We Collect

Name and contact details
Date of birth
Payment information
Employment details
Email address
Health / fitness data (where relevant)
CCTV images
Website usage data

Consent

Where required, consent is freely given, specific, informed and unambiguous.

  • Individuals may withdraw consent at any time.
  • Individuals have the right to be forgotten.
  • Individuals can request access to any data held via a Subject Access Request (SAR).

Data Usage

Service delivery
Payment processing
Legal compliance
Security
Marketing (with consent only)

Data Sharing and Disclosure

Professional Advisers

Solicitors, accountants, and other professional service providers engaged to support business operations.

IT Providers

Third-party technology and system providers who help us deliver our services securely.

Regulators

Relevant regulatory bodies where we are legally required to share information.

Law Enforcement

Police or other authorities where legally required or where a serious crime is involved.

Data Security

We implement appropriate technical and organisational measures to protect personal information, including:

Password Protection

All systems are protected by strong, managed passwords.

Encryption

Data is encrypted in transit and at rest using industry-standard encryption.

Restricted Access

Strict access controls ensure only authorised personnel can access your data.

Secure Storage

Data is stored in secure, managed environments with regular security reviews.

Staff Training

All staff receive data protection training. Personnel accessing sensitive data must hold a satisfactory Enhanced DBS. Individuals with only a Basic or Standard DBS are not permitted to handle sensitive data.

Data Breach Reporting: Data breaches will be reported to the ICO within 72 hours where required under UK GDPR.

Data Retention

Data is retained only as long as necessary for legal, contractual, or legitimate business purposes. Once data is no longer required, it is securely disposed of in line with our retention schedule.

Your Individual Rights

Under UK GDPR, you have the following rights:

Right of Access

Request a copy of all personal data we hold about you (Subject Access Request).

Right to Rectification

Correct inaccurate or incomplete personal data.

Right to Erasure

Request deletion of your personal data ('right to be forgotten').

Right to Restriction

Restrict how we process your data in certain circumstances.

Right to Portability

Receive your data in a structured, commonly used format.

Right to Object

Object to processing based on legitimate interests or for direct marketing.

Automated Decision-Making

Rights regarding automated profiling and decision-making processes.

Withdraw Consent

Withdraw your consent at any time without affecting the lawfulness of prior processing.

CCTV Policy

Purpose

CCTV is used exclusively for crime prevention, safety, property protection, and incident investigation. It is not used for personal monitoring or any purpose beyond those stated.

Transparency

Clear signage will be displayed to ensure staff, visitors and contractors are aware that CCTV is in operation, in line with transparent practice.

Access

Access is restricted to authorised personnel and agencies such as the Police upon request, to aid incident investigation or where damage or theft to property has occurred. All Thinkofit personnel accessing CCTV data must hold a satisfactory Enhanced DBS.

Retention

Maximum 30 days unless required for an ongoing investigation.

Security

Password-protected secure storage. Classified data accessible only to authorised regulators, agencies and personnel.

Policy Review Schedule

This policy is reviewed annually on the 3rd of March.
Next scheduled review: 03/03/2027.

Data Protection Enquiries

To exercise your rights, make a Subject Access Request, or raise a data protection concern, please contact us:

Email: [email protected]

Phone: +44 7490 371900