GDPR for fitness studios — a calm, practical guide

GDPR has been law since May 2018, and most studio owners we talk to have a vague sense of what it asks of them, but very few have a clear picture. That’s fair — the regulation is long, the guidance from supervisory authorities is sometimes inconsistent, and most of what’s written about it online is either lawyer-cautious or marketing-scary.

This piece is the calm middle. It’s a practical explainer for someone running a yoga studio, a CrossFit box, a Pilates reformer space, or a small gym, who wants to know: what does GDPR actually mean for me, what does my booking software take care of, and what do I need to take care of myself?

Two notes up front. First, the rules are broadly the same across the EU and the UK — UK GDPR is a direct copy of EU GDPR with the country names swapped, and the practical obligations for a small studio are essentially identical. Second — and we’ll say this more than once — this is not legal advice. It’s an attempt to demystify the moving parts so you know which questions are worth asking when something matters.

GDPR in one paragraph

GDPR is a regulation that says: if you collect personal data about people in the EU or UK, you have to have a good reason to collect it, you have to be honest with people about what you’re doing with it, you have to keep it secure, you have to delete it when you’re done with it, and you have to let people see, correct, or remove their own data on request. That’s the spine. Almost everything else is detail attached to one of those five ideas.

What counts as personal data in a studio

Personal data is anything that can identify a living person, directly or indirectly. In a typical studio that includes:

• Names, email addresses, phone numbers, postal addresses
• Date of birth, profile photos, emergency contact details
• Booking history and class attendance records
• Membership status, credit balances, purchase history
• Payment metadata (card last-4, billing address — full card numbers should never be on your servers; that’s the payment provider’s job)
• Health declarations from intake forms, injury notes, pregnancy status
• Photos and videos taken in classes that include identifiable people
• IP addresses and login timestamps in your software

Two of these — health information and, depending on context, photos — fall into a stricter category called special category data. We’ll come back to that.

The split: software versus you

GDPR introduces two roles: the data controller and the data processor. The controller decides what data is collected and why. The processor handles the data on the controller’s instructions. For a studio using booking software, the studio is the controller and the software is the processor. This distinction matters because the responsibilities split along it.

Roughly speaking, your booking platform should handle the technical side: encryption at rest and in transit, access controls, secure backups, audit logging, and the obligation to notify you promptly if there’s a breach on their side. In Class Booking, this is set out in a data processing agreement (a DPA) that we sign with every studio.

You handle the editorial side: deciding what data you collect in the first place, having a lawful basis for collecting it, asking for marketing consent the right way, deciding how long to keep things, and being the human at the other end of any subject access request a member sends you. The software can make all of this easier — exports, retention controls, audit logs — but it can’t make the decisions on your behalf.

What you actually need to write down

For a small studio, the documentation burden is smaller than people fear. Four things, roughly, are worth having in writing:

• A simple privacy policy on your website. Plain language, one page, covering what you collect, why, who you share it with (your booking software, your payment provider, your email tool), how long you keep it, and how a member can exercise their rights.
• A record of processing activities. A short internal document listing the categories of data you hold, why you hold them, and where they live. For a studio this is usually one page. Templates are widely available from EU and UK supervisory authorities.
• A simple breach response plan. Half a page is enough. Who gets notified, in what order, who decides whether to inform the supervisory authority, who drafts the message to affected members. The point is to have decided this calmly in advance, not in the moment.
• Documentation of marketing consent. When a member ticked “email me about offers,” when they unsubscribed, the wording they consented to. Most modern email tools and booking platforms keep this automatically; if yours doesn’t, that’s a flag.

“The point of a breach response plan is to have decided things calmly in advance, not in the moment.”

Special category data: health forms

Health information collected through intake forms — injuries, pregnancy status, medical conditions, medications — is treated more strictly than ordinary personal data. Article 9 of GDPR calls this special category data, and processing it usually requires explicit, specific consent in addition to the normal lawful basis.

In practice, that means a few things. Collect only what you actually need to teach the class safely. A reformer Pilates studio probably needs to know about recent surgeries; a drop-in vinyasa class probably doesn’t need a full medical history. Restrict access to instructors who genuinely need it for the class they’re teaching, not the entire team. And review and delete it when it’s no longer relevant — a back injury someone declared three years ago that has long since healed shouldn’t still be in their file.

Subject access requests in practice

Every member has the right to ask for a copy of the personal data you hold about them, in a portable format. They also have the right to have it corrected, and in many cases the right to have it deleted. These are the rights most studios will encounter occasionally — usually after a member leaves, or after a relationship has soured, or just because someone is curious.

The response window is generally one month from the date of the request. The response should include all the personal data tied to the person — profile details, booking history, payment metadata, messages, anything they’ve given you or you’ve generated about them. In Class Booking we provide a one-click GDPR export that produces a structured bundle ready to forward.

One thing to keep in mind: the right to erasure is not absolute. You can generally retain records you’re legally required to keep — invoices for tax purposes, for example — even if the member asks you to delete everything. What you can’t do is keep their data for marketing or operational convenience after they’ve asked you to stop.

Marketing emails

Three rules cover most of what a small studio needs to know about marketing email. Opt-in, never opt-out — no pre-ticked boxes at signup. Every marketing message should have a working, one-click unsubscribe link. Transactional messages tied to an existing booking or purchase (booking confirmations, receipts, schedule changes) sit in a different category and don’t need separate marketing consent.

The line between transactional and marketing can blur — a “you haven’t booked in a while, here’s 20% off” email is marketing, even if it’s sent through your booking platform. When in doubt, treat it as marketing and check that the recipient has opted in.

Common mistakes

Four patterns we see repeatedly when we talk to studios moving from older systems:

• Forwarding member data via email or WhatsApp. A new instructor needs to know who’s coming to tomorrow’s class, so the owner exports a list to a spreadsheet and emails it. That spreadsheet now lives in two inboxes, possibly forever, with no audit trail and no way to recall it. The fix is to give the instructor an account in the booking system with class-level access, and let them see the list there.
• Keeping ex-members forever. “They might come back” is not a lawful basis for retention. Set a sensible inactivity window (twelve months, twenty-four months — whatever fits your business and your tax obligations) and have your booking system either anonymise or delete accounts that pass it.
• Photos of classes without consent. A staff Instagram of today’s class with everyone’s faces visible is a publication of personal data. Either get consent (a checkbox at signup, renewed periodically) or shoot in a way that doesn’t identify individuals.
• Sharing data with instructors who shouldn’t have it. A freelance teacher covering one class doesn’t need access to your entire member list, billing history, or health declarations from people they’ll never see. Use role-based access. Most modern booking platforms have it built in.

Where Class Booking helps

We’re a processor, not a controller, so most of the editorial decisions stay with you. But the technical scaffolding is built in:

• EU data residency. Servers in the EU, no transfers to third countries by default.
• An audit log of who accessed what, when, and from where.
• One-click GDPR export of everything tied to a member.
• Data deletion on request, with retention overrides for legally required records.
• Role-based access so instructors only see the classes and members they need to.
• A signed data processing agreement, plus a public sub-processor list so you know who else touches your data.
• Breach notification protocols documented in the DPA.

None of this is heroic. It’s what a modern processor is meant to provide. But we list it explicitly because some older platforms still don’t, and being clear about where the lines fall is part of what makes the controller side of the work tractable.

A short closing note

GDPR is less mysterious than it’s often made out to be. Have a good reason for the data you collect. Tell people what you’re doing with it. Keep it secure. Delete it when you’re done. Let people see and remove their own data when they ask. The documentation is a one-page privacy policy, a one-page record of processing, a one-page breach plan, and a record of marketing consent. That’s most of it.

And — for the third time, because it bears repeating — if a specific question matters for your business, talk to a data protection lawyer. We can make the scaffolding work; the editorial decisions are still yours.