Privacy Policy

Privacy Policy – Updated 2025

Rubicon Leisure (RL) is a Local Authority Trading Company. Redditch Leisure facilities are operated by Rubicon Leisure on behalf of the Local Authority.

Rubicon Leisure collects and processes personal information to provide leisure services across our sites. We comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR). We only collect the information necessary to deliver our services and process your data under the lawful bases set out below.

Legal Bases for Processing

Depending on the service, we use these lawful bases (UK GDPR Article 6):

• Contract – to fulfil a contract or take steps at your request before entering into a contract (e.g., memberships, ticket sales, facility hire, event bookings).
• Legal obligation – where we must process data to comply with the law (e.g., incident reporting under RIDDOR).
• Consent – where you have given clear consent for optional activities such as marketing communications or use of images.
• Legitimate interests – for certain administrative tasks necessary to operate our services, balanced against your rights.

Where we process special category data (e.g., health information), we do so under Article 9(2)(h) for health and social care purposes, or another applicable Article 9 condition.

Site-Specific Information

Abbey Stadium

Lawful basis: Contract (membership, facility hire, activities, newsletter subscriptions where requested) and legal obligation (RIDDOR reporting where applicable).

Children and capacity: Where the data relates to a child, a parent/guardian must complete the contract. Where a person is 18+ but lacks capacity, an appropriate adult/guardian must complete it.

What we collect may include:

• Name, address, date of birth, contact details
• Emergency contact details
• Health declaration (where relevant to safe participation)
• Payment details (where appropriate)
• Proof of any concession (not retained)
• First aid records (injury/illness details and treatment provided)

Optional consent-based processing (PECR/marketing):

• Communications relating to your membership and activities you are interested in
• Waiting lists (e.g., swim lessons, exercise classes)
• Promotions and audience insights to improve services

Pitcheroak Golf Course

Lawful basis: Contract (membership, pay-as-you-play, facility hire, club membership, newsletter subscriptions where requested) and legal obligation (RIDDOR where applicable).

What we collect may include:

• Name, address, date of birth, contact details
• Emergency contact details
• Health declaration (where relevant)
• Payment details (where appropriate)
• Proof of any concession (not retained)
• First aid records

Optional consent-based processing: communications in connection with your membership and events you are interested in.

Arrow Valley Visitor Centre

Lawful basis: Contract (newsletter subscriptions where requested, facility/function hire) and legal obligation (RIDDOR where applicable).

What we collect may include:

• Name, contact details
• Payment details (where appropriate)
• First aid records

Optional consent-based processing: communications about your transactions and events you attend; promotions; audience insights to improve services. If you do not consent to additional processing, your rights are unaffected. You can browse the website or contact the Arrow Valley Visitor Centre directly without disclosing personal information. You will still receive essential transactional messages when you purchase tickets or book workshops.

Forge Mill Needle Museum

Lawful basis: Contract (newsletter subscriptions, events, activities, workshops, hires) and legal obligation for collections management (including compliance with the UNESCO 1970 Convention and the Dealing in Cultural Objects (Offences) Act 2003). RIDDOR applies for first aid incidents where required.

What we collect may include:

• Name, contact details, emergency contact details
• Payment details (where appropriate)
• First aid records

Optional consent-based processing: communications about your transactions and events you attend; promotions; audience insights to improve services. If you do not consent to additional processing, your rights are unaffected. You can browse the website or contact the Forge Mill Needle Museum directly without disclosing personal information. You will still receive essential transactional messages when you purchase tickets or book workshops.

Palace Theatre

Lawful basis: Contract (ticket purchases, workshop bookings, account creation, function hire, newsletter/email marketing subscriptions where requested) and legal obligation (RIDDOR where applicable).

What we collect may include:

• Name, address, date of birth, contact details
• Emergency contact details
• Health declaration (where relevant)
• Payment details (where appropriate)
• Proof of any concession (not retained)
• First aid records

Optional consent-based processing: communications about your transactions and events you attend; promotions; audience insights to improve services. If you do not consent to additional processing, your rights are unaffected. You can browse the website or contact the Box Office without disclosing personal information. You will still receive essential transactional messages when you purchase tickets or book workshops.

Youth Theatre

Lawful basis: Contract (membership) and legal obligation (RIDDOR where applicable). For under-13s, parental/guardian consent is required in line with the ICO’s Age-Appropriate Design Code. Where a member is 18+ but lacks capacity, an appropriate adult/guardian must complete the contract.

Data collected about your child may include:

• Name, address, date of birth, school/college information
• Emergency contact details
• Medical information
• Travel information
• First aid records

Data collected about the parent/guardian may include:

• Name, address, contact details
• Payment details (where appropriate)

Optional consent-based processing: images and video footage to promote Summer & Autumn shows on the website and social media.

Community Centres

Lawful basis: Contract (one-off or rolling facility hire) and legal obligation (where applicable).

What we collect may include:

• Name, contact details
• Evidence of public liability insurance
• Licence details (where applicable)
• Payment details (where appropriate)

Processing of Special Category Data

Where health information is collected (e.g., to ensure safe participation), this is processed in accordance with UK GDPR Article 9(2)(h) for health and social care purposes across: Abbey Stadium, Pitcheroak Golf Course, Arrow Valley Visitor Centre, Forge Mill, Palace Theatre and Youth Theatre.

Marketing Communications (PECR)

We will only send you marketing communications (e.g., newsletters, promotions) where we have your consent or where allowed by PECR. You can withdraw consent or change your preferences at any time (see “Contact Us”). Where you agree to be contacted, your data is kept until you withdraw consent or it is overwritten in line with our retention practices.

Who We Share Your Information With

We share data with trusted providers strictly for service delivery, under contract and with appropriate safeguards. Examples include:

Abbey Stadium

• Rubicon Leisure employees (Abbey Stadium)
• Perfect Gym – point of sale, membership management and bookings
• GoCardless – Direct Debit authorisation and collection
• Stripe – online payments and recurring card payments
• SPIVI – where you sign up, your information is shared securely with this platform during registration
• Website hosting – The Carbon Group
• SurveyMonkey – used to collect customer feedback and Net Promoter Score (NPS) responses. SurveyMonkey processes this data on our behalf under agreed restrictions and in line with UK GDPR
• Mailchimp – used to manage marketing newsletters where you have opted in. Mailchimp processes your name, email address and preferences securely under agreed restrictions. You can unsubscribe at any time by using the link in each email or by contacting us directly

Pitcheroak Golf Course

• Rubicon Leisure employees (Pitcheroak Golf Course)
• Haven Systems – point of sale
• Perfect Gym – membership management and bookings
• GoCardless – Direct Debit authorisation and collection
• Stripe – online payments and recurring card payments
• Website hosting – The Carbon Group
• SurveyMonkey – used to collect customer feedback and Net Promoter Score (NPS) responses. SurveyMonkey processes this data on our behalf under agreed restrictions and in line with UK GDPR
• Mailchimp – used to manage marketing newsletters where you have opted in. Mailchimp processes your name, email address and preferences securely under agreed restrictions. You can unsubscribe at any time by using the link in each email or by contacting us directly

Arrow Valley Visitor Centre

• Rubicon Leisure employees (Arrow Valley Visitor Centre)
• Haven Systems – point of sale
• Website hosting – The Carbon Group
• Beyonk – ticket sales (under agreed restrictions)
• SurveyMonkey – used to collect customer feedback and Net Promoter Score (NPS) responses. SurveyMonkey processes this data on our behalf under agreed restrictions and in line with UK GDPR
• Mailchimp – used to manage marketing newsletters where you have opted in. Mailchimp processes your name, email address and preferences securely under agreed restrictions. You can unsubscribe at any time by using the link in each email or by contacting us directly
• Lemon Booking (Tectonic Software ApS) – booking and invoicing support (under agreed restrictions)

Forge Mill Needle Museum

• Rubicon Leisure employees (Forge Mill / Arrow Valley Visitor Centre support)
• Haven Systems – point of sale
• Beyonk – online ticket sales support (under agreed restrictions)
• Website hosting – Arrowscape
• SurveyMonkey – used to collect customer feedback and Net Promoter Score (NPS) responses. SurveyMonkey processes this data on our behalf under agreed restrictions and in line with UK GDPR
• Mailchimp – used to manage marketing newsletters where you have opted in. Mailchimp processes your name, email address and preferences securely under agreed restrictions. You can unsubscribe at any time by using the link in each email or by contacting us directly

Palace Theatre

• Rubicon Leisure employees
• PatronBase UK – box office systems/support (under agreed restrictions)
• Haven Systems – point of sale
• SurveyMonkey – used to collect customer feedback and Net Promoter Score (NPS) responses. SurveyMonkey processes this data on our behalf under agreed restrictions and in line with UK GDPR
• Patron Post – used to manage marketing newsletters where you have opted in. Patron Post processes your name, email address and preferences securely under agreed restrictions. You can unsubscribe at any time by using the link in each email or by contacting us directly

Youth Theatre

• Rubicon Leisure employees via PatronBase UK (under agreed restrictions)
• Worcestershire County Council – where a child is required to miss school and takes part in a licensable performance

Community Centres

• Rubicon Leisure employees – administration and income (transactional data)
• Lemon Booking (Tectonic Software ApS) – booking and invoicing support (under agreed restrictions)
• SurveyMonkey – used to collect customer feedback and Net Promoter Score (NPS) responses. SurveyMonkey processes this data on our behalf under agreed restrictions and in line with UK GDPR
• Mailchimp – used to manage marketing newsletters where you have opted in. Mailchimp processes your name, email address and preferences securely under agreed restrictions. You can unsubscribe at any time by using the link in each email or by contacting us directly

Emergency situations: Where anyone requires medical attention, information may be shared with the emergency services. Information will not be shared other than as stated unless required by law or for safeguarding purposes.

Cookies and Tracking

We and third-party providers use cookies and similar technologies (e.g., pixel tags) on our websites and in our emails to improve services, measure performance and support marketing. You can manage your preferences at any time via our cookie banner and your browser settings.

We do not sell your personal data. We do not transfer data outside the UK/EEA unless appropriate safeguards are in place (such as adequacy regulations or standard contractual clauses).

How Long We Keep Your Information

• Abbey Stadium: membership information – 6 years; room booking information – 12 months from the hire date.
• Pitcheroak Golf Course: membership information – 6 years; room booking information – 12 months from the hire date.
• Arrow Valley Visitor Centre: room booking information – 12 months from the hire date.
• Forge Mill Needle Museum: room booking information – 12 months from the hire date.
• Palace Theatre: marketing contact data – retained until overwritten or consent withdrawn; you can change preferences in your account at any time.
• Youth Theatre: contact/marketing data – retained until overwritten or consent withdrawn; you can change preferences at any time.
• Community Centres: room booking information – 6 months from the hire date.
• Transactional/payment records: kept for 7 years under the Limitations Act 1980.
• Images where consent is given: reviewed/updated every 2 years.
• Marketing/ Newsletter: until you unsubscribe 

Otherwise, where you enter into a contract or take part in activities, information is retained for the length of the contract and, where ongoing, refreshed annually.

Your Rights

Under UK GDPR you have the following rights (subject to conditions):

• Right of access to your personal data
• Right to rectification of inaccurate data
• Right to erasure (“right to be forgotten”)
• Right to restrict processing
• Right to object to processing, including direct marketing under PECR
• Right to data portability
• Right to withdraw consent at any time (where processing is based on consent)

Automated Decision-Making

No decisions around this data are made by automated means.

CCTV Policy

CCTV and associated systems are used only for the following purposes:

• To help reduce the fear of crime
• To deter, detect and prevent crime
• To deter and detect anti-social behaviour
• To assist in the apprehension and identification of offenders
• To enhance community safety and encourage use of local facilities
• To support staff safety, protect business interests and uphold health and safety
• For the maintenance of public order
• To provide information for traffic management
• To provide high quality evidence to assist in criminal and civil proceedings
• To protect property
• To provide assistance and reassurance to the public in emergency situations

Contact Us

To exercise your rights or ask questions about this policy, please contact:

Info@rubiconlesiure.co.uk

If you raise a concern with us and are not satisfied with our response, you can contact the Information Commissioner’s Office (ICO) for independent advice and the right to complain.