Cookie Policy

Last updated: April 2026

Data Controller: [Your School Name]

Applicable Law: UK GDPR, Data Protection Act 2018, Privacy and Electronic Communications Regulations 2003 (PECR)

1. What are cookies?

Cookies are small text files placed on your device when you visit a website or web application. They allow the application to remember information about your visit and are essential for certain features to function correctly. GymHut uses cookies to keep you signed in and to protect your session from unauthorised access.

2. Cookies we use

Essential These cookies are strictly necessary — the platform cannot function without them

Cookie name	Purpose	Duration	Type
`.GymHut.Session`	Maintains your authenticated session. Without this cookie you would be signed out on every page load.	Session (closes with browser) or 14 days if "Remember me" is selected	First-party, HTTP-only, Secure
`.GymHut.Antiforgery`	CSRF (Cross-Site Request Forgery) protection token. Prevents malicious websites from submitting forms on your behalf.	Session	First-party, HTTP-only, Secure
`.GymHut.TwoFactor`	Stores temporary state during two-factor authentication login flow.	Session	First-party, HTTP-only, Secure
`.GymHut.TempData`	Stores short-lived notification messages (e.g. "Saved successfully") between page redirects.	Single page load	First-party, HTTP-only, Secure

Third-party embedded content Only present when demo videos are watched

Cookie name	Purpose	Duration	Type
`VISITOR_INFO1_LIVE` `YSC` `CONSENT`	Set by YouTube (youtube-nocookie.com) when you watch an exercise demo video. YouTube uses privacy-enhanced mode which limits tracking, but may still set cookies if you interact with the player.	Up to 180 days (YouTube)	Third-party (Google/YouTube)

YouTube demo videos are embedded using youtube-nocookie.com to minimise tracking. YouTube cookies are only set if you click to watch a demo video. You can avoid these cookies entirely by not watching demo videos, or by blocking third-party cookies in your browser settings.

Not used GymHut does not use the following types of cookies

Analytics or tracking cookies (no Google Analytics, Hotjar, Mixpanel etc.)
Advertising or marketing cookies
Social media tracking pixels
Cookies used for profiling or automated decision-making

3. Lawful basis for essential cookies

Essential cookies are placed on the basis of legitimate interests under UK GDPR Article 6(1)(f) and the strictly necessary exemption under PECR Regulation 6(4). These cookies are required for the secure operation of the Platform and cannot be disabled without breaking core functionality. By using GymHut you acknowledge that these cookies will be placed.

YouTube cookies (where present) are placed on the basis of your consent — they are only set when you actively choose to watch a demo video.

4. Cookie security

All GymHut first-party cookies are configured with the following security attributes:

HttpOnly — cannot be accessed by JavaScript, protecting against cross-site scripting (XSS) attacks
Secure — only transmitted over HTTPS connections
SameSite=Strict — not sent with cross-site requests, protecting against CSRF attacks

5. Managing and deleting cookies

You can manage cookies through your browser settings. Note that disabling essential cookies will prevent you from logging in to GymHut.

Browser	Cookie settings page
Chrome	Settings → Privacy and security → Cookies and other site data
Firefox	Settings → Privacy & Security → Cookies and Site Data
Safari	Preferences → Privacy → Manage Website Data
Edge	Settings → Cookies and site permissions → Cookies and site data

6. Changes to this policy

We may update this Cookie Policy when we change how GymHut uses cookies. Any material changes will be communicated via a notice on the Platform. This policy was last updated April 2026.

7. Contact

For any queries about our use of cookies or your data rights, contact: [dpo@yourschool.ac.uk]

To complain to the ICO: ico.org.uk · 0303 123 1113