Skip to main content
Try out our 2 day beginners course BOOK HERE →
Bank holiday Monday - 4th May 2026 - We are open 10am - 7pm!

Privacy Policy

The Reach Climbing Wall ("The Reach", "we", "us", "our") is operated by Leap Training Ltd, a company limited by guarantee, registered in England and Wales under company number 4943740, with its registered office at Unit 6, Mellish Estate, Harrington Way, London SE18 5NR.

This Privacy Policy explains how we collect, use, store, and share your personal information when you visit our website (thereach.org.uk), book a session or course, register as a member, or otherwise interact with us. It also sets out the rights you have over your personal information under UK data protection law.

The provision of your personal information to us is voluntary. However, without it, your use of our services may be limited — for example, you may not be able to register as a member or complete an online booking.

For the purposes of UK data protection law (the UK GDPR and the Data Protection Act 2018), Leap Training Ltd is the data controller of personal information collected through our website and centre operations.

1. How we collect personal information

Directly from you. When you create an account, make a booking, complete our climbing waiver, sign up for our newsletter, contact us via webform / email / phone, or apply for a job with us.

Indirectly via service providers. Our booking platform, payment processor, and email systems collect information when you interact with their services, and we receive that information in order to provide the services you've requested.

Automatically when you use our website. When you visit our website we may collect technical information about your visit (IP address, browser type and version, operating system, pages visited, referring URL, etc.). See section 9 for details on cookies and tracking.

From third parties. Where appropriate, we may receive information from partner organisations such as the Association of Climbing Walls (ABC) for certification and safety schemes, or NICAS for youth climbing certifications.

2. What personal information we collect

We may collect and process the following kinds of personal information:

  • Identity and contact details: name, postal address, email, phone number, date of birth, emergency contact details, and (where applicable) gender;
  • Account and booking information: registration / waiver acknowledgements, booking history, membership status, climbing experience and qualifications;
  • Payment information: card details are collected by Windcave (our PCI DSS Level 1-certified payment processor) and are not stored by us; we retain transaction references and amounts for accounting and refund purposes;
  • Health information (where relevant): medical conditions that may affect your safe participation in climbing, captured in our waiver — we treat this as a special category of personal data under UK GDPR and protect it accordingly;
  • Children's information (where relevant): for under-18 climbers and youth-academy / NICAS participants, including parent / guardian contact details;
  • Communications: any correspondence with our team (email, webform submissions, phone notes);
  • Technical information: IP address, browser, device and operating system details, and information about your visit to the site (pages viewed, referrer, etc.).

3. How and why we use your personal information

We use your personal information to:

  1. register you as a customer or member;
  2. allow you to make a booking and access our facilities;
  3. process payments and issue receipts;
  4. send you transactional information about your bookings (confirmations, reminders, cancellation notices);
  5. respond to your enquiries and provide customer support;
  6. operate and improve our website, services, and centre;
  7. send you marketing or news about our services where you have asked us to (see section 5);
  8. comply with legal, regulatory, accounting, and tax obligations;
  9. operate certification schemes such as NICAS;
  10. protect the safety of staff, members, and visitors, and to investigate or prevent fraud or misuse of our services;
  11. defend our legal rights.

4. Lawful bases for processing

We rely on one or more of the following lawful bases under UK GDPR:

  • Performance of a contract — for example, to provide the booking, membership, or course you have requested.
  • Consent — for example, where you have opted in to marketing emails, or where we collect special-category health information through our waiver. You may withdraw consent at any time.
  • Legitimate interests — for example, to keep our facility safe, prevent fraud, and improve our services. We balance our interests against your rights and do not use your data for activities where the impact on you would be disproportionate.
  • Legal obligation — for example, to meet tax, accounting, or regulatory requirements.
  • Vital interests — for example, in a medical emergency at the centre.

5. Marketing communications

If you have opted in, we may use your email address (and, in limited cases, phone) to send you news about events, courses, classes, or membership offers at The Reach.

You can unsubscribe at any time using the link in our marketing emails, or by emailing info@thereach.org.uk. Unsubscribing from marketing will not affect transactional emails (booking confirmations, account-related notices, etc.), which we send on the basis of our contract with you.

6. Children's personal information

We process personal information about children (under 18) in connection with our youth programmes, schools work, and NICAS. We do this with the consent of a parent or guardian where required, and we have safeguards in place to protect children's information. Our safeguarding policy is available at /safeguarding.

7. How long we keep your personal information

We keep your personal information only for as long as we need it for the purpose for which it was collected and to comply with our legal obligations. In general:

  • Booking and account records: while your account is active and for 6 years after your last interaction, to meet UK accounting and limitation-period requirements;
  • Waivers and climbing-safety records: 6 years after your last visit, in line with claim-limitation periods;
  • Marketing data: until you unsubscribe;
  • Payment-transaction references: 6 years (HMRC requirement);
  • CCTV (if applicable): rotated within a short period (typically 30 days) unless retained for a specific incident.

If you ask us to stop contacting you, we may keep a minimal record of your contact details on a "do not contact" list so we can honour that request.

8. Who we share your personal information with

We do not sell your personal information. We share it only with the following categories of recipients, and only where necessary:

  • Redpoint — our booking and waiver platform. Bookings, account information, and waivers are stored on Redpoint's secure infrastructure. The booking portal lives at portal.thereach.org.uk.
  • Windcave — our payment processor. Windcave collects and processes payment card data on our behalf; PCI DSS Level 1-certified. We see only transaction references and amounts.
  • Google (Workspace SMTP) — used to send transactional and customer-service email. Subject to Google's privacy terms.
  • Google Analytics 4 — used to measure aggregated website usage if you have accepted analytics cookies via our cookie banner. Subject to Google's privacy terms. See section 9.
  • Google reCAPTCHA — used on certain forms to help block automated abuse. Subject to Google's privacy terms.
  • Klaro (cookie consent manager) — runs entirely in your browser and records your cookie choices locally; no personal information is sent to a third party by Klaro itself.
  • The Association of Climbing Walls (ABC) and ABC Training Trust (NICAS) — for safety schemes and youth-climbing certification, where you are enrolled.
  • Our accountants, insurers, and legal advisors — where necessary for the lawful operation of the business.
  • Regulatory and law-enforcement bodies — where required by law (HMRC, ICO, the police).
  • A buyer or successor entity — in the unlikely event the business is sold, merged, or restructured.

9. Cookies and tracking

Our website uses a cookie-consent manager (Klaro) which lets you accept or reject categories of cookies on your first visit and at any time afterwards via the "Cookies & Privacy" controls.

The main cookie / tracking categories used on our site are:

CategoryWhat it doesLoaded only with consent?
NecessaryDrupal session, login, anti-CSRF, cookie-consent stateAlways
AnalyticsGoogle Analytics 4 (anonymised behaviour analytics)Yes — analytics consent
Anti-abuseGoogle reCAPTCHA, on form pagesAlways (essential to prevent spam)
HoneypotServer-side bot detection (no cookies)n/a

For more on what cookies do generally, see ICO's guidance: ico.org.uk/your-data-matters/online/cookies/

10. International data transfers

Some of the third parties we use (notably Google and parts of the Redpoint platform) may transfer or store your data outside the UK, including in the European Economic Area or the United States. Where such transfers happen, we rely on the relevant safeguards required by UK data protection law, such as the UK Addendum to the EU Standard Contractual Clauses, or transfers to countries the UK government has deemed adequate.

11. Security

We maintain appropriate technical and organisational measures to protect personal information from accidental loss, unauthorised access, alteration, or disclosure. These include encrypted website traffic (HTTPS), restricted access to systems based on staff role, regular software updates, and reputable third-party providers selected for their security posture.

No transmission of data over the internet can be guaranteed to be 100% secure. Where possible we use providers that are independently certified (PCI DSS for payments, ISO 27001 for hosting where applicable).

12. Your rights

Under UK data protection law you have the following rights, exercisable free of charge in most cases:

  1. Right of access — to ask what personal information we hold about you and to receive a copy.
  2. Right to rectification — to ask us to correct inaccurate or incomplete information.
  3. Right to erasure ("right to be forgotten") — to ask us to delete your personal information, subject to our legal obligations to retain certain records.
  4. Right to restrict processing — to ask us to stop processing your information in certain circumstances.
  5. Right to object — to processing carried out on the basis of legitimate interests, and to direct marketing at any time.
  6. Right to data portability — to receive certain personal information in a machine-readable format.
  7. Right to withdraw consent — where we rely on your consent, you can withdraw it at any time.
  8. Rights related to automated decision-making — we do not currently make decisions about you based solely on automated processing.

To exercise any of these rights, please contact us using the details in section 15. We will respond within one month (or explain why we need longer, up to a further two months).

13. Complaints

If you are unhappy with how we have handled your personal information, please contact us first so we can try to put things right. You also have the right to complain to the UK Information Commissioner's Office:

14. Changes to this policy

We may update this Privacy Policy from time to time. The current version is always available on this page and applies from the date stated at the bottom. We will notify you of material changes via the website and, where possible, by email.

15. How to contact us

For any privacy-related questions or to exercise your rights:

The Reach Climbing Wall
Unit 6, Mellish Estate
Harrington Way
London SE18 5NR

Email: info@thereach.org.uk
Phone: +44 (0)20 8855 9598

Last updated: May 2026.