Privacy Notice

Last updated: 24 May 2026

1. Who we are

Fortis-Solutions Ltd ("we", "us", "Heartbody") is a company registered in England & Wales, company number 16934389, registered office 167-169 Great Portland Street, London W1W 5PF. We are the data controller of personal data described in this notice. We are registered with the Information Commissioner's Office under registration number ZC139102.

2. Contact

For any data-protection query, email support@heartbody.co.uk with the subject line "Data request".

3. What personal data we process

We process the following categories of personal data:

• Customer account data: name, business name, email, phone, address, billing details, business registration data publicly available on Companies House.
• End-member data: names, email, phone, payment cards, attendance records, health notes where applicable, photos where uploaded. For this category our gym customer is the data controller and Heartbody is the data processor acting on their documented instructions. Member subject-access, rectification and erasure requests should be directed to the gym in the first instance; we will support the gym in fulfilling them.
• Prospect data: publicly-available business information about UK gyms (Companies House director names, registered addresses, app store listings, website data) used for our outreach campaigns.
• Usage data: server logs, IP address, browser, device type, pages visited.
• Communications: emails, support tickets, call notes.

4. Why we process it (lawful bases)

• Contract: to deliver the Heartbody service to paying customers.
• Legitimate interest: to identify and contact UK gym operators who are prospects for our service. Where we collect publicly-available business information from Companies House and other public sources, we rely on legitimate interest. Operators may opt out at any time by emailing support@heartbody.co.uk with subject "Remove from outreach".
• Legal obligation: tax, accounting, anti-fraud, regulatory reporting.
• Consent: marketing communications beyond our outreach campaigns; cookies that are not strictly necessary.
• Explicit consent (UK GDPR Art. 9(2)(a)): where health-related notes are recorded against a member (e.g. injury history, medical conditions relevant to class participation), our gym customer is responsible for obtaining the member's explicit consent before entering that data into the platform.

5. Sub-processors

We use the following sub-processors to deliver the service. Each is contractually bound under a Data Processing Addendum.

• Stripe Payments UK Ltd — card and subscription processing (UK / EEA).
• Resend, Inc. — transactional email delivery.
• Vercel Inc. / Neon Database — hosting where applicable.
• Digital Ocean Holdings Inc. — server hosting (UK / EU regions).

A current, updated list of sub-processors is available on request.

Heartbody provides every paying customer with a Data Processing Addendum (DPA) covering our processing of end-member data on their behalf, incorporating the UK Information Commissioner's International Data Transfer Addendum where relevant. A copy is available on request to support@heartbody.co.uk.

6. Where your data is stored

Heartbody is UK-hosted on infrastructure located within the UK and EEA. Where any sub-processor transfers data outside the UK, we rely on the UK Government's Adequacy Regulations or appropriate Standard Contractual Clauses.

7. Retention

We retain personal data for as long as is necessary to provide the service plus a period required by law:

• Customer account data: while you have an active subscription, then 6 years for tax and accounting.
• End-member data: while you (our customer) instruct us to hold it. We delete on your written instruction or 90 days after your subscription ends, whichever is sooner.
• Prospect data: maximum 18 months from collection, or until opt-out request.
• Server logs: 90 days.

8. Your rights

Under UK GDPR you have the right to: access your data, rectify inaccuracies, request erasure, restrict processing, data portability, object to processing, and object to automated decision-making. To exercise any of these, email support@heartbody.co.uk. We will respond within 30 days.

You also have the right to complain to the Information Commissioner's Office if you believe we have not handled your data correctly.

9. Cookies

See our Cookie policy for details on cookies used on this site.

10. Changes to this notice

If we make material changes, we will update the "Last updated" date and, where required, notify existing customers by email.