Privacy Policy

A comprehensive guide to how we collect, use and protect the data you provide.

This guide applies to

  • All users of our facilities, including regular users, customers, members and partners. 
  • Anyone who uses our website, our join@home membership system or who registers at our reception.

Who is the Data Controller?

Heriot-Watt Services Limited, a wholly owned subsidiary of Heriot-Watt University trading as Oriam, is the Data Controller for personal data we hold about you. Oriam is accountable to Heriot-Watt University and as a member of the Heriot-Watt University Group is subject to the University Data Protection Policy. Where we use the term ‘University’, this includes all members of the Heriot-Watt University Group including Oriam. We hold your personal data securely and restrict access to personal information to people who need to use it in the course of their duties. When collecting and processing information about you, we must comply with the UK Data Protection Act, 2018, the European Union General Data Protection Regulation (GDPR) and other relevant privacy laws.

Data Collection

What data do we collect?

We gather Personal Information and Anonymous Information from you when you visit our website. “Personal Information” means any information that may be used to identify an individual, including, but not limited to: a first and last name; e-mail address; a home, postal or other physical address (when using services designed to deliver or send items to you) or other contact information necessary to provide a service that you requested. “Anonymous Information” means information that is not associated with or linked to your Personal Information; Anonymous Information does not permit the identification of individual persons.

We collect and hold personal information in all formats for the purposes set out in this guide.

  • Name and address;
  • E-mail address
  • Financial information
  • Goods or services provided;
  • Visual images e.g. on a membership card

If you purchase through our website, we will record your billing address, however we do not record your payment card details.
If you email us directly via an email hyperlink or contact form to provide us with feedback or to ask us a question regarding the site, we will record any information contained in such email.
If you fill out a form on the site, which asks for your personal information, we will record your contact information and other fields within the form.
Where this is necessary to meet a legal obligation, or with your consent, we may also process sensitive information, also known as special categories of data under GDPR, or protected characteristics under UK human rights law which may include:

  • Age
  • Disability
  • Physical or mental health
  • Pregnancy and Maternity
  • Gender

How do we collect  information?


What are cookies, and how do we use them? Cookies are small text files that are sent to and stored on your web browser, smartphone or other device to allow you to store specific information that can be used to improve the user experience on a website. Further information about cookies (including how to disable them) can be found on

What type of cookies do we use?

Session Cookies are stored only temporarily during a browsing session and are deleted from the user’s device when the browser is closed.  We also use cookies to store your responses to online polls / voting systems. These do not identify you or the selections you make, but helps to show you new content.

Data use

Why do we collect this information?

To meet our duty of care to you and our legal obligations

What is our legal basis? Where this is necessary to:

  • Comply with a legal obligation; this may be under employment, social security and social protection law, immigration law or another statutory duty
  • Protect vital interests in an emergency; 
  • Exercise or defend legal claims or comply with court judgements;
  • Provide medical and health services;
  • Protect public health.
  • Comply with legal duties in the substantial public interest e.g. for equality monitoring
  • To meet our legal duty of care to you under health and safety and safeguarding laws;
  • To protect your vital interests or someone else’s e.g. in a medical emergency;

For public safety and the prevention and detection of crime

What is our legal basis?

  • Where this is necessary for the prevention, investigation, detection or prosecution of criminal offences,
  • Where required by law
  • For the safeguarding against and the prevention of threats to public security.

Processing for these purposes includes:

  • Use of CCTV systems to monitor and collect visual images;
  • IT security monitoring
  • Fraud prevention and detection
  • Reporting incidents of suspected criminal activity to the police
  • Applying security, welfare and other procedural measures where necessary for the safety and security of our users, staff and the wider University community under health and safety and other relevant laws.

To improve our services and promote Oriam and the University group

What is our legal basis?

  • Where we have your consent;
  • Where necessary for our legitimate interests as long as this does not compromise your rights to data protection
  • Where necessary for archiving purposes in the public interest.

In order to improve our services we may analyse data about our members’ use of facilities, responses to our promotional campaigns and usage of our website.
We may take photographs, and other images and recordings of users for possible use in our publicity and promotional material in print and online on our websites and social media. We always inform people when filming and will only feature you in such promotional material with your consent. We keep copies of promotional material in the University Archive as a record of Oriam activities down the years.

For archiving and research

What is our legal basis?

  • Where this is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

While always protecting your rights to privacy we will:

  • Retain copies of promotional material and other records of Oriam events and activities community life that may include images and other data about you;
  • Produce management and statistical information to monitor and improve our performance.

Data Storage

How long we keep your personal data

We keep information about you only for as long as needed during the time you use our facility or have a membership with us and meet our legal obligations and rights. We keep a very limited record of our activities for archival purposes. Otherwise, all your personal data is destroyed securely no later than 6 years after you cease to be a member of Oriam. More information about how long we keep your personal data and why is here.

Your Rights

Who your information may be shared with and why

Unless we are required to do so by law, we do not share your personal data with any third parties. We do not share your information for marketing purposes with other organisations or companies.
We may appoint other companies and organisation to deliver services for us that require them to process your information in order to fulfil your requests. For example, we may need to share your information with an events company if you are due to attend one of our events and we are using an events company to manage that event. In the course of operating some of our services, your data may be stored temporarily with our contractors- for example database hosting companies and e-mail distribution services or online payment services. Where we share your information in these circumstances, Oriam has data processor agreements with these contractors to ensure that your data is as secure with them as it is with us. These contractors will not have the right to hold your details or to use them for any other purpose.
If there is an occasion on which we would like to share your personal data with a third party for any other reason ,except where we are required to do so by law, we will always let you know and will obtain your consent before doing so.

To meet our legal obligations to you and to other organisations, we will

  • Help the emergency services (fire, police, ambulance) or a health professional to protect your vital interests or someone else’s e.g. in a medical emergency;
  • Provide limited information necessary to an organisation with a statutory function, such as the police, Home Office or other Government Agency; Disclosure Scotland or other relevant disclosure services, where this is necessary for law enforcement.
  • Meet a statutory or regulatory obligation, e.g. a court order

Your Rights

You have the right to:

  • Find out what personal data we process about you and obtain a copy of the data, free of charge within one month of your request at We may make a charge for additional copies of the same information;

If you think, we are acting unfairly or unlawfully you can:

  • Object to the way we are using your data;
  • Complain to the UK Information Commissioner’s Office.

Under certain conditions, you also have the right to ask us to:

  • Restrict the use of your data e.g. if you have raised issues about the accuracy or use of your personal data, until we have investigated and responded to your concerns;
  • Erase your information or tell us to stop using it to make decisions about you;
  • Comply with your wishes where you have previously agreed to us processing your data for a particular purpose and have withdrawn your consent to further processing;
  • Provide you with a portable electronic copy of data you have given us.

Data Protection Officers and Contacts

If you have any questions about what we do with your personal information or your rights under privacy laws, you can contact us in the following ways:

Kerry Furlong,
Section Head – Admin Services 
Scotland’s Sports Performance Centre
Heriot-Watt University
Edinburgh, EH14 4AS
Phone:+ 44 (0)131 451 8400

Data Protection Officer,
Heriot-Watt University,
Edinburgh EH14 4AS, UK
Phone:+ 44 (0)131 451 3218/3219/3274

Find out more about your rights under privacy law

In our Data Protection Policy and our webpages:

On the website of the UK Information Commissioner’s Office