How LEGACY+ handles personal data.

Personal training is personal by nature. This policy explains how LEGACY+ Coaching collects, uses, stores, shares, and protects the personal data connected to enquiries, bookings, coaching, and client support.

It covers what we collect, why we collect it, how long we keep it, and how to contact us about your data under the Personal Data Protection Act 2010 [Act 709] and related Malaysian guidance.

Last updated: 18 March 2026

What We Collect

Information connected to coaching, safety, and service delivery

Identity and contact data such as your name, phone number, email address, emergency contact, and company name.
Booking and service data such as package selection, appointment history, attendance, session notes, invoices, and payment status.
Coaching and progress data such as movement assessments, body measurements, exercise history, training preferences, goals, feedback, and results tracking.
Sensitive data you choose to share for safety reasons, including injury history, medical conditions, pregnancy status, medications, pain points, or doctor restrictions.
Website and device data such as IP address, browser information, cookies, form submissions, and basic analytics events.

What You Can Do

Data rights and practical choices

Request access to your data
Ask us to correct inaccurate or incomplete information
Opt out of marketing communications
Contact us about retention, disclosure, or consent withdrawal
Escalate unresolved concerns through the Malaysian regulator if needed

1. Who this policy applies to

This policy applies to anyone whose personal data we handle in connection with LEGACY+ Coaching. That includes prospective clients, current and former clients, parents or guardians, corporate contacts, workshop participants, website visitors, people who message us through WhatsApp or email, and job applicants.

2. The kinds of personal data we may collect

Basic identity and contact information

We may collect your full name, preferred name, phone number, email address, date of birth or age band, emergency contact details, address details where needed for billing or service administration, and any account credentials used for our portals or digital coaching tools.

Coaching and service information

We may collect information about your training goals, exercise history, movement patterns, attendance, assessment outcomes, session notes, progress reviews, preferred schedule, coach matching notes, package history, and communication records related to service delivery.

Sensitive personal data

Because we operate in health and fitness, you may also share sensitive information with us. This can include injuries, surgeries, chronic conditions, medications, pregnancy or postnatal status, pain history, medical limitations, and other exercise-readiness disclosures. We only ask for that type of information where it is reasonably connected to safe coaching, programme design, duty of care, or lawful administration.

Financial and transaction information

We may keep invoices, receipts, billing contact details, package balances, payment references, refund or credit notes, and limited payment records needed to reconcile transactions. We do not intentionally store more card information than is reasonably required for our payment and bookkeeping arrangements.

Digital and website information

When you visit our website or submit a form, we may collect your IP address, browser type, device information, pages viewed, referral source, basic cookies, and form metadata so we can secure the site, improve performance, and understand which pages are working.

Images, video, and facility security

If you appear in authorised photography, video content, CCTV coverage, or progress photos, we may collect and store those records. Progress photos and testimonial material are handled separately from routine service administration and, where appropriate, with express permission.

3. How we collect personal data

We may collect data directly from you when you:

submit an enquiry form, WhatsApp message, contact request, or consultation request;
book a trial, assessment, coaching session, workshop, or package;
complete a PAR-Q, readiness form, onboarding form, waiver, or coaching questionnaire;
communicate with us by phone, email, WhatsApp, social media, or in person;
use our client portal, coach portal, scheduling tools, or other digital services;
take part in a corporate wellness event, transformation challenge, or assessment session; or
apply for a role with us.

We may also receive information from a parent or guardian, an employer arranging a corporate programme, a physician or allied professional where you ask them to share relevant information, a payment provider, or a service provider supporting our booking, messaging, analytics, or administrative systems.

4. Why we use personal data

We use personal data for practical business and coaching reasons, including to:

respond to enquiries and recommend the right service, package, or coach;
book consultations, movement assessments, coaching sessions, workshops, and follow-up reviews;
design, deliver, and adjust coaching programmes in a way that is safe and appropriate for you;
track attendance, progress, milestones, package balances, and client outcomes;
communicate schedule changes, reminders, coach notes, administrative updates, and service notices;
process payments, issue receipts, manage credits, and handle finance, audit, or tax records;
maintain client portals, digital coaching tools, and internal operational records;
protect the safety, security, and integrity of our facilities, staff, systems, and users;
improve service quality, coach delivery, website performance, and business planning; and
comply with legal obligations, enforce our agreements, or respond to regulators, insurers, or legal claims.

5. Sensitive data, health information, and coaching duty of care

We treat health-related information with extra care. In practical terms, this means we ask for it only where it helps us coach responsibly, we limit access to people who need it for service delivery or administration, and we expect it to be used on a need-to-know basis. If you choose not to share relevant health information, we may be limited in our ability to coach you safely or may decide not to provide a particular service.

Where sensitive information is shared for coaching, screening, or injury-management purposes, you consent to us using that information to assess suitability, tailor sessions, communicate safety notes internally, and maintain appropriate records of the advice or restrictions given.

6. Marketing, consent, and communication preferences

We may send service-related communications where needed to run your account or booking. Separately, we may also send marketing communications about coaching, packages, workshops, events, or relevant offers where you have requested information, given consent, or where the communication is otherwise permitted by law.

You can opt out of marketing at any time by using the unsubscribe link where available or by emailing admin@legacycoaching.com.my. Opting out of marketing does not affect service messages needed to administer an active booking, package, membership, or account.

7. Disclosure to third parties

We may disclose personal data where reasonably required to run the business, including to:

coaches, administrators, and internal personnel who need the information to support your service;
payment processors, accounting support, booking systems, CRM tools, cloud storage, analytics, and communications vendors;
insurers, legal advisers, auditors, or professional advisers where needed;
medical or allied professionals, but only where you ask us to coordinate or where safety requires it and disclosure is lawful;
corporate clients arranging a programme, but normally only for attendance, administration, or agreed reporting rather than private health details;
regulators, government bodies, law enforcement, or courts where disclosure is required or reasonably necessary; and
a purchaser or successor if the business or assets are restructured, sold, or transferred, subject to lawful handling of the data.

8. Cross-border transfers and overseas service providers

Some of the systems we use for email, scheduling, analytics, cloud storage, or digital coaching may involve data being processed or stored outside Malaysia. Where that happens, we take reasonable steps to ensure the information continues to be handled with appropriate safeguards and only for legitimate business purposes.

9. Security measures

No online system is risk-free, but we take privacy and security seriously. Depending on the context, our measures may include access controls, password protections, need-to-know permissions, vendor controls, device protections, secure payment workflows, and limited retention of sensitive records. We also expect our coaches and staff to handle client information with discretion.

10. Retention

We keep personal data only for as long as there is a legitimate business, legal, or safety reason to do so.

General enquiries and lead records may be kept for up to 24 months after our last meaningful contact.
Client coaching records, waivers, session notes, and progress history may be kept for up to 7 years after the end of the client relationship, or longer where a dispute, claim, or legal issue requires it.
Billing, finance, and tax-related records may be retained for at least 7 years where required for legal or accounting purposes.
CCTV or short-term facility security footage may be overwritten on a rolling basis unless preserved for an incident review or legal reason.
Job applicant data may be retained for up to 12 months unless we need it longer for recruitment, legal, or recordkeeping reasons.

When data is no longer needed, we may delete it, anonymise it, or archive it in a restricted format where lawful retention is still required.

11. Your rights and choices

Subject to Malaysian law, reasonable verification, and lawful exceptions, you may ask us to provide access to your personal data, correct inaccurate or incomplete information, withdraw consent for certain uses, limit or stop direct marketing, or explain how your information is being handled.

Where additional rights become available under Malaysian law from time to time, we will handle requests in line with the law then in force. We may need to verify your identity, clarify the scope of your request, or charge a fee where permitted by law for access-related requests.

12. Children and minors

We do not knowingly contract directly with minors for coaching services without appropriate parent or guardian involvement. If a minor participates in a session or programme, we may collect information from the parent or guardian and use it for the same safety, coaching, and administrative reasons described in this policy.

13. Cookies and analytics

Our website may use cookies or similar tools to remember preferences, understand how pages are used, improve load performance, troubleshoot issues, and measure which enquiries or marketing routes are actually working. You can usually manage cookies through your browser settings, but some site functions may work less smoothly if you disable them entirely.

14. Updates to this policy

We may update this policy from time to time to reflect changes in our business, service model, systems, or legal obligations. When we make a material change, we will update the “Last updated” date on this page and, where appropriate, take additional steps to bring the revised notice to your attention.

15. Contact, requests, and complaints

If you have a question about this policy, want to exercise a privacy-related right, or believe your data has been handled incorrectly, please contact us first so we can review the matter properly.

Email: admin@legacycoaching.com.my Phone / WhatsApp: 011-39772862 Location: Kuala Lumpur, Malaysia

Please mark privacy requests clearly and give us enough information to identify your account or enquiry. If you are not satisfied after contacting us, you may also raise the matter with the Malaysian Personal Data Protection Commissioner or any other authority competent to hear the complaint.