1. INTRODUCTION & SCOPE

This Privacy Policy (“Policy”) is issued by:

•    Burns Gym Ltd, a company incorporated and registered in the United Kingdom, with its registered office at Central Chambers Building, 93 Hope Street, 5th Floor, Suite 406/407, Glasgow, United Kingdom; and

•    Burns Gym LLC, a limited liability company organized under the laws of the State of Delaware, United States, with its principal office at 8 The Green, Suite B, Dover, Delaware 19901, United States.

Together, Burns Gym Ltd and Burns Gym LLC are referred to as “Burns Gym,” “we,” “our,” or “us.” Both entities operate jointly to provide exercise and wellness services under the trade name Burns Gym.
This Policy explains how Burns Gym collects, uses, discloses, transfers, and protects personal data when you or your organization uses our services. It also describes the rights available to you under applicable laws, including the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and U.S. state privacy laws such as the California Consumer Privacy Act (CCPA/CPRA), the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), and the Utah Consumer Privacy Act (UCPA).
This Policy applies to all personal data collected through and in connection with Burns Gym’s services, including the Burns Gym website, available at www.burnsgym.com (the “Website”), the Age with Vitality Online Platform, which provides fitness and wellness programs, resources, and assessments tailored for older adults and residents of care homes (the “Platform”), and the Age with Vitality Live Workouts, which are live, remote exercise sessions delivered to participating organizations via video conferencing technology (the “Live Workouts”).
This Policy applies to organizational clients (such as care homes, assisted living facilities, and other institutional partners), authorized staff who administer accounts and supervise Residents, and Residents who participate in exercise and wellness activities through the Platform or Live Workouts under staff supervision.

2. DEFINITIONS
For purposes of this Policy:
•    “Personal Data” means any information relating to an identified or identifiable natural person, such as name, email address, age, health information, or activity data.
•    “Special Category Data” refers to sensitive data, including health-related information (e.g., mobility limitations, responses to wellness questionnaires, physical assessments), which we process only with explicit consent.
•    “Residents” means older adults, care home participants, or other individuals under an organization’s supervision who engage with our wellness programs.
•    “Organization” or “Facility” means the care home, nursing home, assisted living facility, or other institutional client that contracts with Burns Gym to access the Services.
•    “Services” means collectively the Website, Platform, and Live Workouts provided by Burns Gym.

3. CATEGORIES OF PERSONAL DATA WE COLLECT
We collect different types of personal data depending on how your organization, staff, or Residents use our Services. The categories of data include:

3.1 Identification Data: We may collect basic identification information necessary to create accounts, provide access to the Services, and personalize content, including first and last name, age, date of birth, gender, email address, and affiliation with a care home or organization.

3.2 Account Data: To register and access the Platform, care homes and their staff may be required to provide account information, including login credentials (username and password). Passwords are stored in a secure, encrypted format, and role-based identifiers (e.g., administrator, staff user). We do not use account information for marketing purposes unless explicit and separate consent is obtained.

3.3 Usage Data: When you or your organization interact with the Website or Platform, we automatically collect usage-related data, including internet Protocol (IP) address, browser type and version, device type and operating system, log files and server activity records, session activity, clickstream data, and interaction with features, and cookies, trackers, and similar technologies (see Section 9 – Cookies & Tracking Technologies).

3.4 Activity & Wellness Data: To provide personalized exercise and wellness content, we collect activity-related data from care homes and Residents, including participation logs (e.g., sessions attended, exercises completed), assessment results (e.g., mobility tests, progress tracking), responses to wellness or health screening questionnaires, and notes or entries recorded by authorized staff. This data is used strictly for wellness program delivery and not for clinical or diagnostic purposes.

3.5 Special Category (Health) Data: With explicit consent, we may collect limited health-related information (“special category data” under GDPR) to personalize wellness programs, including mobility limitations or physical impairments, general health status (non-clinical, self-reported), and relevant wellness indicators identified by care home staff. This information is processed only with appropriate safeguards and is not used for medical treatment, diagnosis, or therapeutic interventions.

3.6 Data Collected During Live Workouts: For Age with Vitality Live Workouts, Burns Gym collects minimal information, the care home’s designated registration email address, and administrative details necessary to provide session access. We do not collect or record the Resident's personal data during live video sessions. Care homes are solely responsible for supervising Residents and ensuring participation is safe and appropriate.

4. HOW WE COLLECT PERSONAL DATA
We collect personal data in a variety of ways, depending on how your organization, staff, or Residents use the Services. The primary methods are:
4.1 Direct Collection from Organizations and Staff: When a care home or organization registers for our Services, we collect information directly from staff members who create and manage accounts. This may include staff contact details, login credentials, and administrative preferences. We may also collect Resident-related information directly from staff where necessary to set up and manage profiles on the Platform.

4.2 Data Entered by Care Homes on Behalf of Residents: Care homes and authorized staff may enter Resident information into the Platform to allow Residents to participate in the Age with Vitality program. This may include basic identification details (e.g., name, age, gender) and wellness-related information (e.g., assessment results, mobility status).
By submitting this information, your organization confirms that it has obtained appropriate authority, consent, or legal basis to share the data with Burns Gym. Burns Gym does not independently verify Resident data entered by care homes and relies on organizations to ensure accuracy and lawfulness.

4.3 Automatically Collected Data (Cookies, Trackers, Usage Logs): When users access the Website or Platform, we automatically collect certain data through cookies, trackers, and log files. This may include IP addresses, device type, browser details, operating system, session activity, and usage metrics.
Cookies and trackers may be used for service functionality, security, analytics, and performance monitoring. Non-essential cookies will only be activated with valid user consent (see Section 9 – Cookies & Tracking Technologies)

4.4 Third-Party Integrations (Vimeo, Zoom, YouTube, Wix): Our Services rely on integrations with trusted third-party providers to deliver video content, host services, and facilitate live sessions. For example, Vimeo / YouTube: to stream pre-recorded exercise videos, Zoom (or equivalent video platforms): to deliver live online workouts, and Wix: to host and operate our Website.
These providers may collect limited data (such as IP address, usage logs, or cookies) when you interact with their services through our Website or Platform. Burns Gym does not control how these third parties process data and encourages users to review their respective privacy policies for more information.

5. PURPOSES OF PROCESSING PERSONAL DATA
We process personal data only for specified, explicit, and legitimate purposes. The primary purposes include:

5.1 Providing and Operating the Services: We process personal data to deliver our core Services effectively. This includes registering and authenticating organizational accounts, providing access to the Website, Platform, and Live Workouts, and ensuring secure participation for staff and Residents. Without this data, we could not verify authorized users or provide tailored access to our systems.
We also rely on information provided by care homes to confirm that Residents are properly enrolled and can safely take part in wellness activities. By managing accounts and monitoring access, we help ensure Residents receive appropriate support under the supervision of authorized staff.

5.2 Personalizing Content & Exercise Programs: We use certain personal data to tailor exercise content and recommendations to the needs of Residents. Factors such as age, mobility level, and non-clinical health details help us tailor programs to ensure they are safe, engaging, and beneficial. Participation logs and activity data also allow staff to monitor wellness improvements over time.
In addition, aggregated insights may be shared with organizations to give them an overview of Resident engagement and progress. These personalization measures are strictly for wellness purposes. Burns Gym does not use personal data for medical diagnosis, treatment, or clinical decision-making.

5.3 Managing Accounts and Access Control: Account and login data are processed to ensure that care homes and staff can use the Services securely. This includes creating accounts, storing encrypted passwords, and assigning role-based permissions so that only the right people can access specific features.
We also use personal data to prevent unauthorized access or account misuse. By managing credentials and monitoring activity, we help maintain the integrity of the Services and ensure that Resident data is only handled by authorized personnel.

5.4 Communication with Care Homes (Administrative Only): We process contact details of organizational representatives to communicate about account setup, billing, service updates, and technical support. This ensures that care homes receive the information they need to manage accounts and keep Services running smoothly.
We may also use contact information to send reminders about Live Workout schedules or updates to the Platform. Importantly, we do not use Resident or staff data for marketing purposes unless explicit, separate consent has been given.

5.5 Security, Fraud Prevention, and Abuse Detection: Personal data is used to safeguard the Services against threats and misuse. We collect technical data, such as log files and usage records, to monitor performance, detect suspicious activity, and protect against malware and cyberattacks.
We may also use this information to investigate potential violations of our Terms & Conditions. This helps us prevent fraud, stop abuse of the Services, and maintain a secure and reliable environment for organizations and Residents.

5.6 Legal and Regulatory Compliance: In some cases, we must process personal data to meet our legal obligations. This may involve retaining certain records for tax or accounting purposes, responding to lawful requests from authorities, or complying with data protection regulations in the UK, EU, and U.S. states.
We may also process data to enforce contractual rights or protect the safety and rights of Residents, staff, and Burns Gym itself. These measures ensure that we operate lawfully and maintain trust with the organizations we serve.

6. LEGAL BASES FOR PROCESSING (UK GDPR & DATA PROTECTION ACT 2018)
Under the UK GDPR and the Data Protection Act 2018, we must identify a lawful basis for each type of personal data processing. Burns Gym relies on the following legal bases:

6.1 Contractual Necessity: We process certain personal data because it is necessary to perform a contract with your organization, or to take steps at your request before entering into such a contract. This includes registering and authenticating organizational and staff accounts, providing access to the Website, Platform, and Live Workouts, managing billing, subscription, and account administration. Without this processing, we would not be able to deliver the Services.

6.2 Consent (for Health-Related / Special Category Data): We may process health-related or “special category” data (such as wellness assessments, mobility limitations, or Resident participation data) only with explicit consent provided by authorized care home staff on behalf of Residents. Consent must be freely given, specific, informed, and unambiguous. Consent may be withdrawn at any time (see Section 16 – Withdrawing Consent & Data Deletion Requests).

6.3 Legal Obligation: We process certain data where necessary to comply with legal and regulatory obligations, such as responding to valid legal requests from government authorities, complying with accounting, tax, or corporate recordkeeping requirements, and ensuring compliance with applicable data protection and consumer protection laws.

6.4 Legitimate Interests: We process certain personal data where necessary to pursue our legitimate business interests, provided that the interests, rights, or freedoms of individuals do not override such processing. Examples include monitoring system performance and detecting fraudulent or abusive activity, enhancing the security of our Services, improving functionality and user experience on the Website and Platform, and communicating important service updates to organizational representatives. Where legitimate interests apply, we balance these interests against the privacy rights of individuals before proceeding.

6.5 Explicit Consent (for Wellness Assessments and Sensitive Data): For certain sensitive data processing activities, including wellness screening responses, mobility assessments, or other activity-related data that could reveal health information, we require explicit written or digital consent.
This consent is typically obtained through care home staff when registering Residents or completing assessments. Explicit consent is necessary because this type of data qualifies as special category data under GDPR. Processing will not take place without such consent, and consent can be withdrawn at any time.

7. U.S. STATE PRIVACY LAWS COMPLIANCE
Certain U.S. states have enacted consumer privacy laws that provide residents with specific rights regarding their personal information. This section applies to residents of California, Virginia, Colorado, Connecticut, and Utah (collectively, “U.S. State Privacy Laws”).
If you are a resident of one of these states, you may have additional rights beyond those described elsewhere in this Policy. These rights generally apply to personal information collected from staff and Residents in the course of using the Services, subject to exceptions provided under state law (e.g., information covered by HIPAA, employee records, or de-identified data).

7.1 Categories of Data Disclosed or Shared
In the past 12 months, Burns Gym may have collected and disclosed certain categories of personal information for business purposes. These include identifiers such as names, email addresses, and organizational affiliations; account data such as login credentials and encrypted passwords; internet and usage data such as IP addresses, device information, cookies, and usage logs; activity and wellness data such as participation logs and non-clinical assessments; and sensitive data such as health-related information voluntarily provided to support wellness personalization.
We do not sell personal information for monetary consideration. However, under some state laws, certain disclosures of personal information to service providers or third-party partners may be considered a “sale” or “sharing.”

7.2 “Do Not Sell or Share My Information” Rights
Residents of California and other states with similar privacy laws have the right to direct businesses not to sell or share their personal information. Although Burns Gym does not sell personal data for monetary consideration, certain disclosures to service providers or third-party partners (for example, analytics providers or video hosting platforms) may qualify as a “sale” or “sharing” under state law.
To respect these rights, Burns Gym provides a “Do Not Sell or Share My Information” link on our Website, where individuals or organizations may submit opt-out requests at any time. Requests can also be submitted by email to contact@burnsgym.com. Once we receive an opt-out request, we will stop any data practices that are considered a sale or sharing under applicable state law, except where such sharing is necessary to deliver our core Services (e.g., hosting or security).
We will confirm receipt of an opt-out request and process it within the legally required timelines. Opt-out requests apply to the personal information we hold at the time of the request as well as to any future collection and disclosure. Individuals exercising this right will not be discriminated against, and their access to Services will remain unchanged, although certain features may not function properly if sharing is disabled.

8. HIPAA DISCLAIMER
Burns Gym provides wellness and fitness services only and is not a healthcare provider. Unless expressly agreed otherwise in writing, Burns Gym does not act as a “Business Associate” under the U.S. Health Insurance Portability and Accountability Act of 1996 (HIPAA) or the Health Information Technology for Economic and Clinical Health (HITECH) Act.
Our Services are not designed or intended to process, store, or transmit Protected Health Information (PHI) as defined by HIPAA. Any wellness-related information processed by Burns Gym (such as activity logs, wellness assessments, or mobility information) is collected solely for general fitness and wellness purposes, not for clinical care, treatment, or diagnosis.
If your organization is a HIPAA-covered entity (such as a nursing home, healthcare facility, or medical provider) and requires Burns Gym to process PHI, a separate, duly executed Business Associate Agreement (BAA) must be in place prior to such processing.
Without a BAA, you agree not to upload, transmit, or otherwise disclose PHI to Burns Gym through the Services. If PHI is shared with Burns Gym without a BAA, your organization remains solely responsible for such disclosure and any resulting compliance obligations.

9. COOKIES & TRACKING TECHNOLOGIES

9.1 Types of Cookies Used
Our Website and Platform use cookies, tags, pixels, and similar technologies (“cookies”) to enhance user experience, improve performance, and support our Services. The categories of cookies include:
•    Essential Cookies: It is required for the operation of the Website and Platform. These enable core features such as page navigation, login authentication, and secure account access. Without these cookies, the Services may not function properly.
•    Analytics Cookies: They help us understand how users interact with the Website and Platform by collecting information such as pages visited, time spent, and error reports. These cookies are used to improve functionality and user experience.
•    Functional Cookies: They enable enhanced features such as remembering user preferences, saving login sessions, and providing customized content. These are not strictly necessary but improve convenience and usability.
When you first visit our Website or Platform, a cookie consent banner will appear to inform you about our use of cookies and to request your preferences. Non-essential cookies (e.g., analytics and functional) will only be activated once you have provided valid consent. You can accept all cookies, reject all non-essential cookies, or customize your cookie preferences at any time.

9.2 How to Manage Cookie Preferences
You may adjust or withdraw your cookie preferences by using the cookie settings tool or consent banner available on our Website, adjusting browser settings to block or delete cookies (note: blocking essential cookies may limit functionality), and opting out of third-party analytics providers directly through their opt-out mechanisms (e.g., Google Analytics opt-out). For detailed instructions on controlling cookies, consult your browser’s help documentation.
Further details about the specific cookies we use, their purposes, and duration are provided in our Cookie Policy, which is incorporated by reference into this Privacy Policy and available here.
 
10. DATA SHARING & THIRD-PARTY RECIPIENTS
We share personal data only as necessary to provide our Services, comply with legal obligations, or protect our rights. We do not sell personal information for monetary consideration. The main categories of recipients include:

10.1 Service Providers (Hosting, Analytics, Video Platforms)
We engage trusted third-party service providers to support the operation of our Website, Platform, and Live Workouts. These providers act on our behalf and may only process personal data in accordance with our instructions. Examples include Hosting and Platform Providers (e.g., Wix.com Ltd.) to operate the Website, Video Streaming Providers (e.g., Vimeo, YouTube) to deliver pre-recorded exercise content, Video Conferencing Providers (e.g., Zoom) to host Live Workouts, and Analytics Providers to help us monitor performance and improve user experience.
All service providers are contractually required to implement security measures and to process personal data only for the agreed purposes.

10.2 Care Home Staff as Authorized Users
Care home staff and organizational representatives may have access to Resident data entered into the Platform to supervise participation, monitor progress, and manage accounts. Burns Gym does not control how care home staff use this access. Your organization is responsible for ensuring that its staff members handle Resident data lawfully, fairly, and securely.

10.3 Legal and Regulatory Authorities
We may disclose personal data when required by law or in response to lawful requests from public authorities, including compliance with court orders, subpoenas, or regulatory inquiries, meeting tax, accounting, or corporate recordkeeping obligations, and protecting our rights, property, or the safety of Residents, staff, or third parties.

10.4 External Links Disclaimer
Our Website may include links to external websites, such as arthritis.com or the World Health Organization (WHO). These links are provided for informational purposes only. Burns Gym is not responsible for the content, accuracy, or privacy practices of external websites. We recommend reviewing the privacy policies of any third-party sites you visit.

11. INTERNATIONAL DATA TRANSFERS

11.1 UK - US Transfers via Data Privacy Framework (DPF)
When personal data is transferred from the United Kingdom to the United States, Burns Gym may rely on the UK Extension to the EU–U.S. Data Privacy Framework (DPF), approved by the UK government. This mechanism ensures that personal data transferred to certified U.S. entities receives a level of protection essentially equivalent to that under UK data protection law.

11.2 Use of Standard Contractual Clauses (SCCs) & UK IDTA
Where the Data Privacy Framework is not applicable, we may use Standard Contractual Clauses (SCCs) issued by the European Commission, together with the UK International Data Transfer Agreement (IDTA), or the UK Addendum to the EU SCCs. These are legally binding contracts that require data recipients outside the UK/EEA to protect personal data in accordance with applicable data protection standards.

11.3 Transfers to Israel (Adequacy Decision)
Some of our service providers (e.g., Wix.com Ltd.) are based in Israel. The UK government has recognized Israel as providing an adequate level of protection for personal data. This means transfers of data to Israel are permitted without the need for additional transfer mechanisms.

11.4 Safeguards in Place
To protect personal data transferred internationally, we implement the following safeguards:
•    Data Minimization – Only the minimum personal data necessary for transfer is shared.
•    Contractual Protections – Service providers are bound by contracts requiring confidentiality, data security, and lawful processing;
•    Technical Measures – Encryption, secure transmission protocols, and access controls are used to reduce risks during cross-border transfers.
•    Ongoing Compliance Reviews – We periodically review the legal landscape and update our transfer mechanisms if required by law.

12.    DATA RETENTION
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, to comply with legal and regulatory obligations, and to resolve disputes. Retention periods vary depending on the type of data.
Burns Gym applies different retention periods depending on the type of personal data collected. General identification data, such as names, ages, and email addresses, is retained for the duration of an organization’s active account and deleted within 30 days of termination unless otherwise required by law. Account data, including login credentials and encrypted passwords, is kept as long as the account remains active and deleted within 30 days of closure. 
Usage data, such as cookies, device information, and logs, is retained for up to 12 months to support analytics and service improvements, unless consent is withdrawn earlier. Activity and wellness data, including participation logs and assessments, are kept for up to 2 years after a Resident’s last activity, unless a deletion request is made sooner. Finally, special category (health) data is retained for no longer than 2 years after a Resident’s last use of the Platform, or until explicit consent is withdrawn, whichever occurs first.

12.1 Standard Retention Periods
For UK and EU residents, Burns Gym will respond to and honor valid requests for the deletion of personal data within 30 days, in accordance with the requirements of the UK GDPR and EU GDPR. For U.S. residents, we will respond to and fulfill valid deletion requests within 45 days, as required by state privacy laws. Where permitted by law, this period may be extended by an additional 45 days if reasonably necessary. In such cases, we will notify the requester of the extension and explain the reasons for the delay.
When a care home cancels its account or services are otherwise terminated, all Resident profiles, assessments, and related records are deleted within 30 days, unless retention is required by law.

12.2 Legal Obligations for Extended Retention
In certain cases, we may retain data beyond the standard retention periods to meet legal or regulatory obligations, including:
•    Accounting and Tax Requirements: Financial transaction data may be retained for up to 7 years in accordance with applicable accounting and tax laws.
•    Regulatory Investigations or Disputes: Data may be preserved for the duration of any ongoing legal, regulatory, or dispute resolution process.
•    Fraud Prevention and Security: Minimal account data may be retained for up to 5 years after termination to detect and prevent fraudulent or abusive use of the Services.
All retained data remains subject to the safeguards described in this Privacy Policy.

13. YOUR RIGHTS – UK & EU RESIDENTS
If you are located in the United Kingdom or the European Union, you have specific rights under the UK GDPR and the EU GDPR with respect to your personal data. Burns Gym is committed to upholding these rights. You may exercise them at any time by contacting us at contact@burnsgym.com.

13.1 Right of Access: You have the right to obtain confirmation as to whether we are processing your personal data, and if so, to request a copy of the data along with information about how it is used, shared, and retained.

13.2 Right to Rectification: You have the right to request correction of any inaccurate personal data and to have incomplete data completed.

13.3 Right to Erasure (“Right to Be Forgotten”): You have the right to request the deletion of your personal data in certain circumstances, including when the data is no longer necessary for the purposes for which it was collected, you withdraw consent and no other legal basis for processing applies, you successfully object to the processing, and the data has been unlawfully processed. We may retain certain data where necessary to comply with legal obligations (e.g., tax or accounting requirements).

13.4 Right to Restrict Processing: You may request that we restrict the processing of your personal data in certain situations, including when you contest its accuracy, when processing is unlawful, or when you object and we are verifying overriding grounds. During restriction, we will continue to store your data but will not process it further except with your consent or for legal purposes.

13.5 Right to Data Portability: You have the right to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format. You may also request that we transmit this data directly to another controller, where technically feasible.

13.6 Right to Object: You may object to the processing of your personal data when it is based on our legitimate interests, unless we can demonstrate compelling legitimate grounds for the processing that override your rights and freedoms, or where processing is necessary for legal claims. You may also object at any time to the processing of your data for direct marketing purposes.

13.7 Right to Withdraw Consent: Where processing is based on your consent (for example, wellness assessments or special category data), you have the right to withdraw that consent at any time. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal, but may limit your ability to use certain features of the Services.

13.8 Right to Lodge a Complaint: You have the right to complain to your local supervisory authority if you believe we have not handled your personal data in accordance with the law.
In the United Kingdom, this is the Information Commissioner’s Office (ICO): www.ico.org.uk  or Telephone: +44 303 123 1113.
If you are in the European Union, you may contact your national data protection authority. A list of authorities is available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en. 

14. YOUR RIGHTS – U.S. RESIDENTS
If you are a resident of California, Virginia, Colorado, Connecticut, or Utah, you may have specific rights under state privacy laws. These rights are in addition to the general protections described in this Policy. You may exercise these rights at any time by contacting us at contact@burnsgym.com. 

14.1 Right to Know What Data We Collect: You have the right to request that we disclose the categories of personal information we collect, the sources from which it is collected, the business purposes for which it is used, and the categories of third parties with whom it is shared.

14.2 Right to Access and Obtain a Copy: You may request access to the specific pieces of personal information we have collected about you. Upon verification, we will provide you with a copy of your data in a portable and readily usable format.

14.3 Right to Correct Inaccurate Data: You have the right to request correction of any inaccurate or incomplete personal information we hold about you.

14.4 Right to Delete Personal Data: You may request deletion of personal information we have collected about you, subject to certain exceptions (e.g., data required to complete transactions, provide services, comply with legal obligations, or detect fraud).

14.5 Right to Opt Out of Sale/Sharing: You have the right to opt out of the “sale” or “sharing” of your personal information as those terms are defined under applicable state laws. Burns Gym does not sell personal information for monetary value. However, some disclosures to service providers or analytics partners may be considered a “sale” or “sharing” under state law.
You can opt out at any time via our “Do Not Sell or Share My Information” page or by emailing contact@burnsgym.com.
 
14.6 Right to Limit Use of Sensitive Personal Data: If you are a California resident (or another state with similar rights), you may request that we limit our use of sensitive personal data (e.g., health-related information). Burns Gym already restricts the use of sensitive personal data solely to providing wellness personalization. We do not use sensitive data for marketing or unrelated purposes.

14.7 Right to Non-Discrimination for Exercising Privacy Rights: We will not discriminate against you for exercising your privacy rights. This means we will not deny you access to the Services, charge you different prices, or provide a lower quality of service solely because you exercised your rights under state law.
You may submit privacy rights requests by emailing us at contact@burnsgym.com. 

15. DATA SECURITY

15.1 Administrative, Technical, and Physical Safeguards
We employ a combination of organizational, technical, and physical safeguards to protect personal data, including access controls and role-based permissions, secure hosting environments with firewalls and intrusion detection systems, regular security monitoring and vulnerability assessments, and staff training on data protection and privacy compliance.

15.2 Encryption of Passwords and Sensitive Data
Account passwords are stored in a secure, encrypted format and are never visible to Burns Gym staff. Sensitive data, including special category (health) data, is transmitted using secure protocols (e.g., HTTPS/TLS) and stored with encryption or other protective measures where appropriate.

15.3 Limitations (No System 100% Secure)
While we take reasonable and appropriate measures to protect personal data, no system or method of transmission over the internet is entirely secure. We cannot guarantee the absolute security of personal data transmitted through our Services.
Any transmission of data is at the user’s own risk, and we encourage organizations to take additional steps to secure their networks and devices.

15.4 Organization’s Responsibilities (Staff Devices, Access Control)
Because our Services are provided to care homes and similar organizations, the organization itself also plays a critical role in safeguarding Resident data. Your organization is responsible for ensuring that staff devices used to access the Platform are secure (e.g., updated operating systems, antivirus protection, strong passwords), limiting access to Resident data only to authorized staff members, keeping login credentials confidential and not sharing them outside of the organization, and promptly notifying Burns Gym of any actual or suspected unauthorized access, security breach, or misuse of accounts.

16. WITHDRAWING CONSENT & DATA DELETION REQUESTS

16.1 How to Withdraw Consent (Residents, Guardians, Organizations)
If a Resident or their legal representative wishes to withdraw consent for participation or for the processing of wellness or health-related data, they may do so by notifying their care home staff or by contacting Burns Gym directly at contact@burnsgym.com.
Care homes and other organizations may withdraw consent or request deletion of their account and related Resident data by submitting a written request to Burns Gym.
Withdrawal of consent will not affect the lawfulness of processing carried out prior to withdrawal, but may limit or prevent continued use of certain Services.

16.2 Timeline for Processing Requests
•    UK/EU Residents: We will respond to valid requests to withdraw consent or delete personal data within 30 days, in line with UK GDPR requirements.
•    U.S. Residents: We will respond within 45 days, as required by state privacy laws. In some cases, we may extend this by an additional 45 days if reasonably necessary, and we will notify you if such an extension applies.
16.3 Effect of Withdrawal on Service Access
If consent is withdrawn, or if data deletion is requested, access to certain features of the Platform or Live Workouts may be limited or disabled. For example, if Resident wellness data is deleted, we may no longer be able to provide personalized exercise programs or track progress.
If an organization cancels its account, all Resident profiles, assessments, and related data will be deleted within 30 days of termination, unless retention is required for legal or regulatory reasons (see Section 12 – Data Retention).

17.    CHILDREN’S PRIVACY

17.1 COPPA Compliance
Our Services are designed for use by care facilities and their adult Residents and are not directed at children under the age of 13. In compliance with the U.S. Children’s Online Privacy Protection Act (COPPA), we do not knowingly collect, use, or maintain personal information from children under 13 years of age. If it comes to our attention that such information has been collected without verifiable parental consent, we will promptly take action to delete it from our systems.
Parents or legal guardians who believe that their child may have provided personal information to Burns Gym without consent are encouraged to contact us immediately at contact@burnsgym.com. Upon receiving such a request, we will verify the identity of the requester and ensure the child’s information is securely deleted, unless retention is required by law.

17.2 Adult Users Under Staff Supervision
The Age with Vitality Platform and Live Workouts are specifically designed for care homes, assisted living facilities, and similar organizations serving older adults. These Services are intended for adult Residents, typically seniors, who participate in exercise and wellness activities as part of supervised care programs.
Care home staff play a critical role in ensuring that only appropriate participants are granted access to the Services. Staff must also supervise Residents at all times during use of the Platform or Live Workouts, helping to ensure that participation is both safe and beneficial. Burns Gym does not provide accounts or direct access to minors and relies on organizations to enforce proper supervision and participant eligibility.

18. CHANGES TO THIS PRIVACY POLICY
Burns Gym reserves the right to update or modify this Privacy Policy at any time to reflect changes in our practices, services, or legal requirements. Any updates will be consistent with applicable privacy and data protection laws.
When changes are made, we will post the revised Privacy Policy on our Website and update the “last modified” date at the top of the page. For significant or material changes, we may also notify organizations directly by email using the contact details associated with their account. Continued use of our Services after the effective date of the revised Privacy Policy constitutes acceptance of the updated terms.
If we make material changes that affect how we process personal data based on consent (for example, expanding the scope of health-related data collection), we will request new consent before applying those changes to existing data, and provide clear information about the nature of the change, its impact, and the options available to you.

19. CONTACT INFORMATION
If you have any questions, concerns, or requests regarding this Privacy Policy or the way Burns Gym processes personal data, you may contact us using the details below:

U.K. Office
Burns Gym Ltd
Central Chambers Building
93 Hope Street, 5th Floor, Suite 406/407
Glasgow, United Kingdom

U.S. Office
Burns Gym LLC
8 The Green, Suite B
Dover, Delaware 19901
United States

20. DATA CONTROLLER & CONTACT INFORMATION
The Services are operated jointly by:

•    Burns Gym Ltd
Central Chambers Building
93 Hope Street, 5th Floor, Suite 406/407
Glasgow, United Kingdom

•    Burns Gym LLC
8 The Green, Suite B
Dover, Delaware 19901
United States

For the purposes of the UK GDPR, the Data Protection Act 2018, and relevant U.S. state privacy laws, Burns Gym Ltd and Burns Gym LLC act as joint data controllers. This means both entities jointly determine the purposes and means of processing personal data collected through our Services.
Although Burns Gym is not legally required to appoint a formal Data Protection Officer under UK GDPR Article 37, we have designated a Data Protection Lead to oversee compliance and handle inquiries.

Data Protection Lead:
Anthony Burns
Email: contact@burnsgym.com