We didn't need GDPR to tell us to take safety and security of your data seriously. We have always done that, but for completeness here is a resume:-
In the studio we only hold data that appertains to your training (eg power, weight, and heart rate monitor ID), plus an emergency contact number. It is used solely by CFC coaches to monitor performance. It is never shared elsewhere.
At the registered office we hold the paper PAR-Q forms which we ask everyone to complete before undertaking training. This contains details of any health data and past injury information. These forms are kept under lock and key. The information is used solely by CFC coaches to understand a client's health and any training risk issues. It is never shared elsewhere.
Our billing system (Supersaas) contains data about current, future and past bookings made by registered clients. This is used to enable CFC to manage class volumes. We use the email addresses in the booking system to keep members informed of their bookings and to provide CFC-only updates. It is never shared elsewhere.