Legal

Privacy notice

Your data, in plain English. What we hold, why, and how to get it out.

Last updated 12 June 2026.

Who we are

LongShot is a functional-fitness gym in Longcot, Oxfordshire. We are the data controller for the information described here. Questions, requests or complaints go to hello@longshot.fit.

What data we hold

• Account. Your name, email, password (hashed, never stored in plain text), and the membership plan you are on.
• Scores. The workout results you log: times, rounds, reps, loads, and the WOD they belong to.
• Bookings. The classes you book, attend, cancel or no-show, with their dates and times.
• WhatsApp. Your phone number, your opt-in to WhatsApp messages, and the timestamp of that opt-in. We keep the opt-in timestamp so we can prove consent.
• Payments. A Stripe customer reference and the history of charges. We do not store your card number; Stripe does.

Who processes it (our processors)

We use a small set of providers to run the gym. Each only gets what it needs.

• Stripe. Payments and subscription billing. Holds your card details and billing history.
• Twilio. WhatsApp and SMS delivery. Receives your phone number to send the message you opted in to.
• Resend. Transactional email (receipts, booking confirmations, password resets). Receives your email address.
• Cloudflare. Hosting, storage and the database. Holds the data above and processes web traffic.
• PostHog. Product analytics, so we can see which pages and features get used. Configured to minimise personal data.

Our lawful bases

• Contract. We process your account, bookings, scores and payments to give you the membership you signed up for.
• Consent. WhatsApp messages go out only because you opted in. You can withdraw consent any time without affecting your membership.
• Legitimate interests. We use analytics and keep security logs to run a safe, working service. We balance this against your privacy and keep it proportionate.
• Legal obligation. We keep certain financial records for as long as tax law requires.

Your right to export your data

You can download everything we hold about you. Go to your account settings and choose Export my data. We generate a machine-readable file of your account, scores, bookings and consent records. If you cannot reach the in-app option, email hello@longshot.fit and we will send it within one month.

Your right to delete your account

You can close your account and have your personal data erased. Go to your account settings and choose Delete my account. We remove your name, email, phone number and scores. Where we must keep a record for accounting or to stop abuse, we retain only a non-identifying tombstone: an audit record that proves an action happened without holding your personal details. You can also request deletion by emailing hello@longshot.fit.

Your other rights

Under UK GDPR you can ask us to correct data, restrict or object to processing, or withdraw consent. To exercise any of these, use account settings or email us. You can also complain to the Information Commissioner's Office at ico.org.uk, though we would rather you told us first so we can fix it.

How long we keep things (retention)

• Account, scores and bookings: while your account is open.
• After deletion: personal fields are erased; an anonymous audit tombstone remains so the record of the action survives without identifying you.
• WhatsApp opt-in timestamps: kept as proof of consent, then erased on deletion.
• Financial records: as long as UK tax law requires, then deleted.

Cookies and analytics

We keep cookies to a minimum. The detail is in the cookie notice.

Contact

Email hello@longshot.fit. We answer data requests within one month, usually a lot sooner.

See also our terms and cookie notice.