Privacy Policy

Privacy Policy – Health Compass

Last updated: 29 June 2026

Health Compass (“we”, “us”, “our”) respects your privacy and is committed to protecting your personal data in accordance with the General Data Protection Regulation (GDPR) and the Irish Data Protection Act 2018.

Health Compass is a company registered in Ireland, company number 510690. Our registered office is at Wolftone Street, Naas, Co. Kildare, Ireland.

This policy explains what personal data we collect, why we collect it, how we use it, who we share it with, and the rights you have over it.

1. Who we are and how to contact us

Health Compass is the data controller responsible for your personal data.

  • Email: john@healthcompass.ie
  • Phone: 086 083 6979
  • Post: Health Compass, Wolftone Street, Naas, Co. Kildare, Ireland

[If you have appointed a specific Data Protection Officer or privacy contact, add their name and direct contact details here. Otherwise the contact details above will be treated as the point of contact for all data protection queries.]

2. The personal data we collect

Depending on how you interact with us, we may collect:

  • Contact and identity data – name, email address, phone number, postal address.
  • Account and booking data – membership, booking, or appointment details, and attendance history.
  • Health and wellness information [CONFIRM IF APPLICABLE – e.g. health questionnaires, fitness assessments, injury history, dietary or health goals]. This counts as special category data under Article 9 GDPR, and we handle it with extra care – see Section 4.
  • Payment information – your payments are processed by our payment provider [CONFIRM PROVIDER, e.g. Stripe, SumUp]; we do not store full card details ourselves. If you pay by direct debit, your bank details are passed only to our bank to set up and manage the arrangement – this is covered by the Direct Debit Guarantee Scheme, and we don’t keep a copy.
  • Communications – messages, emails, or calls you send us, and our replies.
  • Marketing preferences – whether you’ve opted in to receive updates from us.
  • Website and technical data – IP address, browser/device type, and pages visited, gathered through cookies (see Section 5).
  • CCTV footage [CONFIRM IF APPLICABLE – only if our premises uses CCTV].
  • Recruitment data – if you apply for a role with us (see Section 9).

We collect this mostly directly from you – when you book, register, or get in touch – and occasionally from third parties such as our booking platform or payment processor.

3. Why we use your information, and our legal basis

We only process your personal data where we have a valid legal basis under GDPR:

Purpose

What this involves

Legal basis

Providing our services

Managing bookings, membership, and delivering what you’ve asked us for

Performance of a contract

Health & safety assessment

Assessing suitability for an activity, recording relevant health information

Explicit consent (Art. 9) / vital interests in an emergency

Payments

Processing payments and refunds

Performance of a contract / legal obligation

Customer service

Responding to enquiries, complaints, and support requests

Legitimate interests / contract

Marketing communications

Sending updates, offers, or newsletters

Consent (withdrawable at any time)

Website analytics

Understanding how our website is used

Consent (for non-essential cookies) / legitimate interests

Legal and tax compliance

Maintaining financial and statutory records

Legal obligation

Recruitment

Assessing job applications

Legitimate interests / consent

Security

CCTV (if applicable), fraud prevention

Legitimate interests

We do not use automated decision-making or profiling that produces legal or similarly significant effects about you without human involvement. If this changes in future – for example, AI-assisted recommendations – we will update this policy and seek your consent where required by law.

4. Health and other special category data

Because Health Compass operates in the health and wellness space, some information you give us may be special category data under Article 9 GDPR – for example, details about a medical condition, injury, or health goal.

We only process this information:

  • with your explicit, informed consent, which you can withdraw at any time; or
  • where necessary to protect someone’s vital interests in an emergency; or
  • where necessary for the provision of health-related care, subject to confidentiality safeguards.

We keep this information separate from general marketing records, limit access to staff who need it to deliver your service, and apply the additional security measures described in Section 8.

5. Cookies and similar technologies

Our website uses cookies. Strictly necessary cookies (for example, to keep you logged in) are used without asking for consent, as permitted under the Irish ePrivacy Regulations. Non-essential cookies (analytics, marketing, remarketing) are only set with your consent, given through the cookie banner on our site – you can change your mind and withdraw that consent at any time.

For details of the specific cookies we use and how to manage them, see our Cookie Policy .

6. Who we share your information with

We do not sell your personal data. We may share it with:

  • Service providers acting on our behalf – for example, our payment processor, booking software, email and website hosting, and IT support [CONFIRM specific tools/providers] – under contracts requiring them to protect your data and use it only as we instruct.
  • Professional advisors – accountants, solicitors, or insurers, where necessary.
  • Regulators or legal authorities – where required by law, a court order, or to protect our legal rights.
  • A new owner – if our business is sold or restructured, your data may transfer as part of that process, subject to the same protections set out here.

7. International data transfers

If any service provider we use is based outside the European Economic Area (EEA) – for example, in the United States – we make sure your data is protected by one of the following:

  • an EU adequacy decision (for example, the EU–US Data Privacy Framework, which currently permits transfers to participating US organisations – though this remains under legal challenge at EU level and we monitor developments); or
  • Standard Contractual Clauses approved by the European Commission, together with a transfer risk assessment; or
  • another safeguard recognised under GDPR.

You can ask us which safeguard applies to a specific transfer by contacting us using the details in Section 1.

8. How long we keep your information

We keep personal data only for as long as necessary for the purpose it was collected:

Type of data

Typical retention

Account, booking, and membership records

For the duration of our relationship, plus [CONFIRM, e.g. 2 years] afterwards

Health and fitness records

[CONFIRM – e.g. duration of relationship plus X years]

Financial and invoicing records

6 years, as required under Irish Revenue rules

Marketing consents

Until withdrawn, or after [CONFIRM period] of inactivity

CCTV footage

[CONFIRM – commonly 28–30 days, unless needed for an investigation]

Unsuccessful job applications

12 months, unless you ask us to delete it sooner, or consent to longer retention

Employee records

6 years after employment ends

After these periods, we securely delete or anonymise the data.

9. Job applicants

If you apply for a role with us, we use your application to assess your suitability and communicate with you about the process. If you’re unsuccessful, we keep your details for 12 months in case a suitable role comes up later, unless you ask us not to. If we hire you, we’ll give you separate information about how we handle your data as an employee.

10. Keeping your data secure

We use appropriate technical and organisational measures to protect your personal data, including encryption in transit (SSL/TLS), access controls, and restricting access to staff who need it to do their job. No system is completely secure, but we review our practices regularly and will notify you and the Data Protection Commission of any data breach where the law requires it.

11. Children’s privacy

Our services are intended for adults. Where we run programmes for under-18s [CONFIRM IF APPLICABLE], we collect only the minimum information necessary and require consent from a parent or guardian before processing a child’s personal data.

12. Your rights

Under GDPR, you have the right to:

  • Access the personal data we hold about you
  • Rectify inaccurate or incomplete data
  • Erase your data (“right to be forgotten”) in certain circumstances
  • Restrict how we use your data
  • Object to processing based on legitimate interests or direct marketing
  • Port your data – receive it in a structured, machine-readable format
  • Withdraw consent at any time, where we rely on consent
  • Complain to the Irish Data Protection Commission (see below)

To exercise any of these rights, contact us using the details in Section 1. We’ll respond within one month, as required by law, and may need to verify your identity first.

13. How to complain

We hope you’ll never need to, but if you’re unhappy with how we’ve handled your personal data, please contact us first at john@healthcompass.ie so we can try to put it right.

You also have the right to complain directly to the Irish Data Protection Commission:

  • Online: forms.dataprotection.ie/contact
  • Post: Data Protection Commission, 6 Pembroke Row, Dublin 2, D02 X963, Ireland
  • Phone: (01) 765 0100 or 1800 437 437

14. Changes to this policy

We may update this policy from time to time to reflect changes in our practices or the law. The version published on our website is always the current one, dated at the top of this page.