Privacy Policy
Last updated: 16 June 2026
Who we are
This website is operated by White Elephant Fitness ("we", "us", "our"), a Muay Thai coaching service based in Tonbridge, Kent. We act as the data controller for personal data collected through this site. You can contact us at [BUSINESS CONTACT EMAIL].
What data we collect
When you complete our enquiry or booking form, we collect the personal data you provide:
- Your name
- Your email address
- Your phone number (only if you choose to provide it)
- Any message you include with your enquiry
We also automatically receive technical information needed to run the site securely, such as your approximate IP address (used short-term for spam and abuse prevention).
Why we use your data
- To reply to your enquiry and arrange sessions.
- To keep a record of bookings and communications.
- To protect the website and form from spam, abuse and malicious activity.
Lawful basis
- Consent (UK GDPR Art. 6(1)(a)) — for contacting you via the enquiry form, and for any non-essential cookies you opt in to.
- Legitimate interests (UK GDPR Art. 6(1)(f)) — for keeping the site secure, preventing abuse, and basic record-keeping.
- Legal obligation (UK GDPR Art. 6(1)(c)) — where we need to keep records for tax or other regulatory reasons.
How long we keep it
We keep enquiry data for [RETENTION PERIOD] after our last interaction with you, then delete it. Booking and payment records may be kept longer where required by UK tax law (typically up to 6 years). Spam-prevention logs (such as short-lived IP counters) are kept only for as long as needed to throttle abuse, typically minutes.
Who we share it with
We do not sell your personal data. We share it only with trusted service providers that help us run the site and respond to enquiries, and only as needed to deliver those services:
- Our hosting and database provider, which stores form submissions securely in the UK / EU.
- Our transactional email provider, used to send the enquiry notification to us.
- [ANY THIRD PARTIES]
Where any provider is located outside the UK, we use appropriate safeguards (such as the UK International Data Transfer Addendum) to protect your data.
Your rights
Under UK GDPR you have the right to:
- Access the personal data we hold about you.
- Have inaccurate data corrected.
- Have your data erased ("right to be forgotten").
- Restrict or object to how we use your data.
- Receive a copy of your data in a portable format.
- Withdraw consent at any time, where consent is the basis.
To exercise any of these rights, email us at [BUSINESS CONTACT EMAIL]. You also have the right to complain to the UK Information Commissioner's Office (ICO) at ico.org.uk.
Security
All submissions are sent over HTTPS. Our database is access controlled and protected by row-level security policies. We apply security headers (Content-Security-Policy, HSTS, X-Content-Type-Options and others) to reduce the risk of common web attacks.
Cookies
For full details about the cookies we use and how to manage them, see our Cookie Policy. You can change your preferences any time using the "Cookie settings" link in the footer.
Changes to this policy
We may update this Privacy Policy from time to time. We'll update the "Last updated" date above when we do.