Tribute Franchise Services S.L. (“TFS”, “we”, “us”, or “our”) is committed to protecting your personal data and respecting your privacy. This Privacy Policy explains how we collect, use, disclose, store and protect personal data when you visit our websites, interact with us, submit any of our online forms (including Zoho forms), subscribe to our newsletters, or otherwise communicate with us.

This Privacy Policy applies globally and covers all personal data processed by TFS in connection with:

• Our websites: https://tribute-brands.com/, https://trib3.co.uk/, and https://pilat3s.com/
• All online forms, including Zoho forms and future forms we may introduce.
• All related digital interactions, including CRM tools, contact forms, booking widgets, email marketing, embedded content, and social media integrations.

If you are a studio member, please also refer to our separate Studio Member Privacy Notice for information specific relating to membership and health data, processed through Accuro and other systems.

 

1. Who We Are

The primary controller of your personal data is:

Tribute Franchise Services S.L.
Registered address: Avenida Diagonal 469 (2nd Floor) Barcelona 08036, Spain

Fiscal Registration No: B56246283
Email: [email protected]

We manage the global TRIB3 and PILAT3S franchise systems.

 

Group and franchise structure

TFS acts as the data controller for all processing described in this Privacy Policy.

Some data processed locally by franchisees or master franchisees may be processed with responsibility delegated in the following formats:

• As Independent controllers, e.g. when managing local studio operations, class bookings, or local marketing;
• As Joint controllers with TFS in defined situations;
• As Processors acting under our instructions, where relevant.

We have written agreements in place with all franchise partners allocating responsibilities for data protection.

 

2. Categories of Personal Data We Collect

Depending on how you interact with us, we may collect the following categories of data:

A. Website and browsing data

• IP address, device identifiers
• Browser type, operating system
• Cookie identifiers, analytics data, clickstream behaviour
• Pages viewed, time on page, referral source

B. Contact form submissions / enquiries

• Name, email address, phone number
• Company or organisation details
• Message content and any attachments
• Additional information you voluntarily provide

C. NDAs, and Franchise or master franchise applications

• Identity information
• Contact details
• Financial background information (if requested)
• Business plans or proposals
• ID documents (e.g., passport scans submitted via Zoho forms, where required)

D. Newsletters and marketing communications

• Contact and subscription information
• Email engagement data (opens, clicks)

E. Operational or contractual interactions

• Supplier or partner communications
• Due diligence information
• Billing details (processed by payment providers, not stored by us)

F. Embedded tools and third-party widgets

Information may be collected by tools such as:

• Booking systems (e.g. Momence)
• CRM-integrated forms (e.g. Zoho CRM)
• Live chat widgets
• Social media lead capture tools
• Analytics and advertising pixels

G. Sensitive data (only where necessary)

• Health data via Accuro (studio members only — covered by separate notice)
• Identity documents (where needed for NDAs, franchise applications, or legal verification)

We only collect sensitive data where legally permitted and strictly necessary.

 

3. How We Use Your Personal Data

We use personal data for the following purposes:

A. Operating our websites

• Ensuring proper functionality
• Debugging, maintenance, and security
• Analytics and performance optimisation

B. Responding to enquiries

• Processing contact form submissions
• Providing information about our services
• Communicating with you at your request

C. Franchise and master-franchise processes

• Evaluating applicant suitability
• Conducting due diligence
• Managing onboarding and contractual processes

D. Marketing and communication

• Sending newsletters and updates
• Managing marketing preferences
• Building custom or lookalike audiences (where permitted)
• Measuring engagement

E. Business administration

• Record-keeping, audit, and compliance
• Responding to legal or regulatory obligations
• Managing relationships with partners and suppliers

F. Fraud prevention & security

• Monitoring for misuse
• Authenticating submissions
• Protecting systems and intellectual property

 

4. Lawful Bases for Processing

We process personal data on the following legal bases:

• Contract – where processing is necessary to respond to enquiries, manage applications, or enter into agreements.
• Legitimate interests – including improving our websites, protecting our business, responding to unsolicited enquiries, B2B outreach, analytics, and fraud prevention.
• Consent – for marketing newsletters, non-essential cookies, and any optional data you choose to submit.
• Legal obligation – tax, accounting, regulatory reporting, and compliance.
• Vital interests – only in exceptional cases (e.g., health/safety emergencies).

  

5. How We Share Your Data

We may share your personal data with:

• Franchise partners or master franchisees (where your enquiry relates to a local studio or region)
• Professional advisers (legal, accounting)
• Regulators, courts or authorities
• Third parties in a business sale or restructuring

  

6. Service Providers, Processors & Sub-processors

We use trusted service providers who process data on our behalf, including:

• Zoho (forms, CRM, automation tools)
• Microsoft (Outlook, OneDrive, 365)
• Momence (CRM, class bookings)
• Accuro (health data platform)
• Website hosting providers
• Email and marketing platforms
• Analytics providers (e.g. Google Analytics)
• Payment processors or invoicing systems
• Tools such as live chat, booking widgets, and CRM-injected forms

These providers may in turn use sub-processors (e.g., cloud infrastructure).

We ensure all processors:

• Are bound by written data processing agreements
• Act only on our instructions
• Maintain appropriate security
• Do not use personal data for their own purposes
• Use sub-processors only under strict conditions

 

7. International Data Transfers

Some recipients and service providers are located outside the EU/UK.

Where transfers occur, we rely on:

• Adequacy decisions
• Standard Contractual Clauses (SCCs)
• Data Privacy Framework (where applicable)
• Additional safeguards required under GDPR

You may request a copy of the relevant safeguards (or a description of them). Certain details may be redacted to protect confidentiality.

  

8. Data Retention

We retain personal data only for as long as necessary for the purposes described in this Privacy Policy, taking into account:

• Legal and regulatory requirements
• Potential disputes or audits
• Our internal retention policy

We will apply the following retention standards (unless law requires longer):

• Membership records: duration of membership + six (6) years.
• Waivers/medical forms: membership + three (3) years (to defend potential health & safety claims).
• Health/heart-rate data (Accuro): membership + twelve (12) months, then deletion/anonymisation.
• Employee/contractor records: engagement + six (6) years.
• Payroll/tax data: six (6) years, or longer if required by law.
• Recruitment (unsuccessful applicants): up to twelve (12) months.
• Health & safety / accident records: up to ten (10) years.
• Contractual agreements and related records: duration of agreement + six (6) years.

Where retention periods expire, data will be securely deleted or anonymised.

  

9. Your Rights

You have the following rights (subject to conditions):

• Access
• Rectification and erasure
• Restriction and objection
• Data portability (where applicable).
• Withdrawal of consent
• Rights related to automated decision-making.

To exercise your rights, contact us at [email protected]
We may request identity verification where appropriate.

  

10. Response Times for Data Subject Rights

In line with Article 12(3) GDPR, we will respond to all data subject rights requests (including access, rectification, erasure, restriction, portability, objection, and rights in relation to automated decision-making) without undue delay and in any event within one month of receipt.

• Where requests are complex or numerous, the response period may be extended by up to a further two months.
• In such cases, you will be informed of the extension and the reasons for it within one month of receipt.
• Responses will be provided free of charge unless a request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act.

  

11. Automated Decision-Making and Profiling.

We do not make decisions about individuals that are based solely on automated processing, and which have legal or similarly significant effects. If in future we introduce systems that involve such processing (such as AI systems), these will be subject to prior review, safeguards, and human oversight. Any affected data subjects will be notified and given the opportunity to exercise their rights under Article 22 GDPR.

  

12. Marketing Preferences

You may unsubscribe from marketing emails at any time by:

• Clicking the “unsubscribe” link in our emails
• Contacting us directly

You may also object to profiling used for marketing (e.g., custom audiences).

 

13. Cookies and Tracking Technologies

We use cookies and similar technologies for:

• Essential website functions
• Analytics and performance
• Personalisation
• Advertising and tracking (where consented)

For detailed information, please see our Cookies Policy.

  

14. Security

We use appropriate technical and organisational measures, including:

• Access controls and authentication
• Encryption and secure storage
• Logging and monitoring
• Data minimisation
• Regular backups
• Staff training and confidentiality obligations

We also maintain internal policies on security, breach prevention, and DPIAs.

 

15. Data Breaches

If a personal data breach occurs:

• We assess the risk in line with our internal Breach Response Procedure.
• We notify authorities within 72 hours where legally required.
• We notify affected individuals when the risk level requires it.
• We maintain a breach log in compliance with GDPR.

 

16. Third-Party Links and Embedded Content

Our websites may include:

• Links to third-party websites
• Embedded content
• External booking platforms
• Social media integrations

We are not responsible for third-party privacy practices.

  

17. Children

Our websites and forms are not directed at children, and we do not knowingly collect children’s data.

 

18. Global Application

This Privacy Policy applies regardless of your location.

If any mandatory local rights apply, we will honour them.

  

19. Updates to This Policy

We may update this Privacy Policy from time to time.

Material changes will be notified via:

• Updated website postings
• Email notification where appropriate

The “last updated” date at the top of this page indicates the most recent version.

 

20. Contact Us

For all privacy matters, including exercising your rights, please contact:

Email:
[email protected]

Postal address:
Tribute Brands International Head Office
Praceta Professor Alfredo de Sousa 8
1495-241 Algés, Portugal

You also have the right to lodge a complaint with your local supervisory authority, or with the authority responsible for our operations in the EU or UK.