Privacy Policy
Last updated: April 2026
1. Who we are
Forging Strength Kinross ("Forging Strength Kinross", "we", "us", "our") is the data controller responsible for your personal data. We are based at Kinross, Scotland, United Kingdom. If you have any questions about this policy or how we handle your data, please contact us at [email protected].
2. What data we collect
When you register for and use the FSK member portal, we collect and process the following categories of personal data:
| Category | Examples |
|---|---|
| Identity data | Full name |
| Contact data | Email address, mobile phone number |
| Account credentials | Hashed password (we never store your password in plain text) |
| Booking data | Classes booked, cancellations, attendance history |
| Payment data | Stripe customer ID, subscription status (payment card details are held solely by Stripe and never stored on our servers) |
| Technical data | IP address, browser type, login timestamps |
3. How we use your data
We process your personal data only for the purposes set out below, relying on the lawful bases indicated:
| Purpose | Lawful basis (UK GDPR Art. 6) |
|---|---|
| Creating and managing your member account | Contract (Art. 6(1)(b)) |
| Processing class bookings and cancellations | Contract (Art. 6(1)(b)) |
| Processing payments via Stripe | Contract (Art. 6(1)(b)) |
| Sending booking confirmations and class reminders | Contract (Art. 6(1)(b)) |
| Sending service updates and important notices | Legitimate interests (Art. 6(1)(f)) |
| Complying with legal and regulatory obligations | Legal obligation (Art. 6(1)(c)) |
| Improving the portal and diagnosing technical issues | Legitimate interests (Art. 6(1)(f)) |
We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects.
4. Who we share your data with
We do not sell, rent, or trade your personal data. We share data only with trusted third-party service providers who process it on our behalf and are bound by appropriate data processing agreements:
- Stripe, Inc. -- payment processing. Stripe is certified to PCI DSS Level 1. Their privacy policy is available at stripe.com/gb/privacy.
- Manus AI -- hosting and infrastructure for this portal.
- Email service provider -- for transactional emails such as booking confirmations and password resets.
We may disclose your data if required to do so by law or in response to a valid request from a public authority.
5. International transfers
Some of our service providers may process data outside the United Kingdom. Where this occurs, we ensure that appropriate safeguards are in place, such as the UK International Data Transfer Agreement (IDTA) or adequacy decisions made by the UK Secretary of State, in accordance with UK GDPR Chapter V.
6. How long we keep your data
We retain your personal data for as long as your account is active or as necessary to provide our services. If you request deletion of your account, we will erase your personal data within 30 days, except where we are required to retain it for legal or regulatory purposes (for example, financial records, which we retain for six years in accordance with HMRC guidance). Anonymised or aggregated data that cannot identify you may be retained indefinitely for statistical purposes.
7. Your rights under UK GDPR
Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, you have the following rights in relation to your personal data:
- Right of access -- to request a copy of the personal data we hold about you.
- Right to rectification -- to request correction of inaccurate or incomplete data.
- Right to erasure -- to request deletion of your data in certain circumstances.
- Right to restriction -- to request that we limit how we use your data.
- Right to data portability -- to receive your data in a structured, machine-readable format.
- Right to object -- to object to processing based on legitimate interests.
- Right to withdraw consent -- where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, please contact us at [email protected]. We will respond within one calendar month. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.
8. Cookies and tracking
This portal uses a session cookie solely to keep you signed in. We do not use advertising, tracking, or analytics cookies. No third-party cookies are set by this portal.
9. Data security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or disclosure. Passwords are stored using bcrypt hashing. All data is transmitted over HTTPS. Access to member data is restricted to authorised staff only.
10. Changes to this policy
We may update this privacy policy from time to time. When we do, we will revise the "Last updated" date at the top of this page. For significant changes, we will notify you by email or via a notice on the portal. We encourage you to review this policy periodically.
11. Contact us
If you have any questions, concerns, or requests relating to this privacy policy or our data practices, please contact us at [email protected].