Privacy Policy

We’re committed to protecting your personal and medical information with the same care, integrity, and professionalism that define our clinical standards.

This policy outlines how Fit Certify collects, stores, and protects personal, medical, and payment information in line with the UK GDPR and international data-protection standards.

Effective Date: 1 July 2024 | Last Reviewed: October 2025 | Next Scheduled Review: October 2026 | Data Protection Lead: dpo@fitcertify.com

1. Introduction

At Fit Certify, we take your privacy and the protection of your data seriously. This Privacy Policy explains how we collect, use, store, and safeguard your personal and medical information when you use our services or visit our website.

By using our website or submitting personal data to us, you agree to the terms outlined in this policy.

Fit Certify is a medical organisation that issues sports medical certificates through a network of licensed doctors. All data processing complies with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and comparable international privacy frameworks.

2. Data Controller

Fit Certify is the Data Controller responsible for handling your personal information in line with the UK General Data Protection Regulation (UK GDPR). All privacy-related enquiries are managed by our internal Data Protection Lead, who can be contacted at dpo@fitcertify.com.

3. Information We Collect

We may collect and process the following categories of personal data:

  • Personal Information: Name, email address, phone number, billing address, and other details required to issue your sports medical certificate.
  • Medical Information: Relevant health-related data (medical history, symptoms, medications) provided to our licensed doctors for certification purposes.
  • Payment Information: Credit/debit-card or other payment details processed securely through trusted third-party processors.
  • Automatically Collected Information: Device data, browser type, IP address, and site-usage information obtained via cookies and similar technologies.

We do not collect unnecessary data or use sensitive information for marketing purposes.

4. Lawful Basis for Processing Your Data

We process your personal data under one or more of the following lawful bases:

  • Consent: When you voluntarily provide data to access our services.
  • Contract: When processing is necessary to deliver a requested service (e.g., issuing a medical certificate).
  • Legal Obligation: To comply with statutory duties such as record-keeping and tax reporting.
  • Legitimate Interests: To improve our services, ensure quality, and maintain site security, provided these interests do not override your rights.

5. How We Use Your Information

Your data may be used to:

  • Provide and deliver requested services, including sports medical certificates.
  • Verify your identity and manage your Fit Certify account.
  • Communicate about orders, results, or service updates.
  • Maintain internal records, quality control, and audit processes.
  • Improve website functionality and user experience.
  • Comply with legal or regulatory requirements.

5. How We Use Your Information

Your data may be used to:

  • Provide and deliver requested services, including sports medical certificates.
  • Verify your identity and manage your Fit Certify account.
  • Communicate about orders, results, or service updates.
  • Maintain internal records, quality control, and audit processes.
  • Improve website functionality and user experience.
  • Comply with legal or regulatory requirements.

6. Data Retention

We retain personal and medical data only for as long as necessary to fulfil the purposes described above or as required by law. Once no longer needed, data is securely deleted or anonymised according to healthcare-data retention standards.

7. Sharing Your Information

We do not sell or rent your data. We may share information only in these cases:

  • Service Providers: Trusted partners (e.g., payment processors, IT support, secure storage) bound by strict data-processing agreements.
  • Legal Compliance: When required to respond to lawful requests from public authorities or courts.
  • Business Transfers: In the event of a merger or acquisition, your data may transfer to the successor entity under the same protections.

All third-party processors are vetted for GDPR compliance and data-security standards.

8. Data Security

We employ technical and organisational safeguards to protect your data against unauthorised access or loss. Measures include:

  • SSL/TLS encryption for all transmitted data.
  • Encrypted servers located in secure data centres.
  • Access controls limiting data visibility to authorised staff only.
  • Regular audits and security testing.

Our information-security framework aligns with ISO/IEC 27001 standards and includes HIPAA-equivalent safeguards for health information. Data protection forms part of Fit Certify’s wider Clinical Governance and Code of Practice, overseen by our Medical Director, Dr Simon Shaw.

9. Your Data Protection Rights

Under the UK GDPR, you have the right to:

  • Access – obtain a copy of your personal data.
  • Rectification – correct inaccurate or incomplete data.
  • Erasure – request deletion of your data where legally permissible.
  • Restriction – limit how we process your data.
  • Objection – object to certain types of processing.
  • Data Portability – receive your data in a portable format.

To exercise these rights, contact us at hello@fitcertify.com or dpo@fitcertify.com. We will respond within one calendar month in accordance with GDPR requirements.

If you believe your data has been misused, you have the right to lodge a complaint with: Information Commissioner’s Office (ICO) – website: www.ico.org.uk

10. Cookies and Tracking Technologies

Fit Certify uses cookies and similar tools to enhance site performance and user experience. You can adjust cookie preferences through your browser settings. For detailed information, please see our Cookie Policy.

11. Children’s Privacy

Our services are intended for adults aged 16 and over. We do not knowingly collect personal data from minors without verified parental consent. If you believe a child’s data has been provided without consent, contact us immediately for deletion.

12. Third-Party Links

Our website may link to external sites. Fit Certify is not responsible for the privacy practices or content of these third parties and encourages users to review their policies before providing personal information.

13. International Data Transfers

Where data is transferred outside the UK or EEA, Fit Certify ensures appropriate safeguards such as Standard Contractual Clauses (SCCs) or equivalent protection measures are in place.

14. Updates to This Policy

We may update this Privacy Policy periodically to reflect legal, technical, or operational changes. All revisions will appear on this page with an updated effective date. Significant changes will be communicated via email or notice on our website.

14. Updates to This Policy

For questions, concerns, or data-protection requests, please contact:

Fit Certify
Email: hello@fitcertify.com
Data Protection Lead: dpo@fitcertify.com