Privacy Policy
How Ascot United Football Club collects, uses, and protects your personal data.
Last updated: 2 March 2026 | Version: 1.0
1. Introduction
Ascot United Football Club ("we", "us", "our") is the data controller responsible for the personal data collected through the Ascot United FC Membership Platform at app.ascotunitedfc.co.uk.
This privacy policy explains what personal data we collect, why we collect it, how we use and protect it, and what rights you have under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Data Protection Contact:
Dan Birchmore
Email: [email protected]
Address: [Club address to be confirmed]
2. Personal Data We Collect
Account information (parents and guardians)
- Full name, email address, phone number
- Home address (line 1, line 2, city, county, postcode)
- Date of birth
- FA Fan Number (FAN)
- Communication preferences (club news, team news)
Children and player members
- Full name and date of birth
- Passport-style headshot photograph
- Identity document (passport or birth certificate scan)
- Medical notes, allergies, and health conditions
- FA Fan Number (FAN) and membership number
- Playing day preferences and team allocation
Secondary contacts (additional parent or guardian)
- Full name, email address, phone number
- Relationship to child
Staff and volunteers
- Full name, email address, phone number
- DBS certificate numbers and expiry dates
- Coaching and safeguarding qualifications (certificate numbers, proof documents, expiry dates)
- Team and role assignments
Referees
- Full name, email address, phone number
- FA registration number and qualification level
- Availability and unavailability periods
Camp bookings
- Child name, date of birth, medical notes, allergies
- Parent/guardian name, email, phone number
- Emergency contact name and phone number
Ticketing and events
- Customer name, email address, mobile number
- Purchase history and order references
Communications
- Email and SMS message content sent through the platform
- Email thread history and attachments
Governance
- Board member names, positions, contact details
- Meeting attendance and voting records
Technical data (collected automatically)
- IP address and browser User-Agent string (recorded in our security audit log)
- Session authentication cookie
3. How We Collect Your Data
- Directly from you — when you register, update your profile, book camps, purchase tickets, or contact us through the platform.
- Automatically — our security audit system records your IP address and browser information when you perform actions on the platform.
- From third parties — payment confirmation from Stripe and SumUp; FA registration data as part of league and county FA processes.
4. Lawful Bases for Processing
Under Article 6 of the UK GDPR, we process your personal data on the following lawful bases:
| Purpose | Lawful Basis | Details |
|---|---|---|
| Membership registration and management | Contract performance (Art. 6(1)(b)) | Necessary to fulfil our membership obligations to you |
| FA and league player registration | Legal obligation (Art. 6(1)(c)) | Required by FA rules, Berks & Bucks FA, and league regulations |
| Safeguarding (DBS checks, medical info for children) | Legal obligation (Art. 6(1)(c)) and vital interests (Art. 6(1)(d)) | Child safeguarding duties and emergency medical response |
| Payment processing (fees, tickets, camps) | Contract performance (Art. 6(1)(b)) | To process membership fees, ticket and camp booking payments |
| Club and team communications | Legitimate interests (Art. 6(1)(f)) | Keeping members informed about club activities; opt-out available |
| Security, fraud prevention, and audit logging | Legitimate interests (Art. 6(1)(f)) | Protecting accounts and maintaining a security audit trail |
| Governance and compliance record-keeping | Legal obligation (Art. 6(1)(c)) | Maintaining governance records as required for a football club |
5. Special Category Data
Under Article 9 of the UK GDPR, certain types of data require additional protection:
- Medical information and allergies (children/players) — processed on the basis of explicit consent given during registration and, where necessary, to protect vital interests in medical emergencies.
- Photographs of children — processed on the basis of explicit parental consent given during registration. Headshot photos are used solely for player identification purposes.
- DBS check information (staff/volunteers) — processed for reasons of substantial public interest in accordance with Schedule 1, Part 2 of the Data Protection Act 2018 (safeguarding of children and individuals at risk).
6. Who We Share Your Data With
We share personal data with the following third-party processors and organisations, only to the extent necessary for the stated purpose:
| Service | Purpose | Data Shared | Location |
|---|---|---|---|
| Mailgun (Sinch Group) | Email delivery | Email addresses, message content, attachments | EU |
| EveryMessage | SMS delivery | Mobile phone numbers, message content | UK |
| Stripe | Online payment processing | Customer name, email, payment amounts. Card details go directly to Stripe and are never stored on our servers. | US (with UK/EU data processing) |
| SumUp | Card reader and online payments | Transaction amounts and references. Card details are processed by SumUp hardware and systems. | EU/UK |
| Microsoft Azure | Document and photo storage, secrets management | Uploaded documents (ID scans, headshots, qualification certificates) | UK/EU |
| The FA, Berks & Bucks FA, league organisers | Player and referee registration | Player names, dates of birth, FA numbers as required by regulations | UK |
Additionally, when you use the platform your browser loads fonts from Google Fonts and framework files from jsDelivr CDN. These services may receive your IP address and browser information as part of standard web requests.
We may also disclose personal data to law enforcement or regulatory bodies if required to do so by law.
7. International Data Transfers
Some of our third-party processors operate outside the UK. Where personal data is transferred internationally, we ensure appropriate safeguards are in place:
- Stripe (US) — transfers are covered by Standard Contractual Clauses (SCCs) with the UK International Data Transfer Addendum.
- Google Fonts and jsDelivr (global CDNs) — IP addresses may be transferred to servers outside the UK as part of standard content delivery.
- Mailgun is configured to use EU-region servers. EveryMessage, SumUp, and Microsoft Azure process data within the UK/EU.
8. Data Security
We take the security of your personal data seriously and have implemented the following measures:
- All connections are encrypted using HTTPS (TLS)
- Passwords are encrypted at database level and never stored in plain text
- Multi-factor authentication (MFA) is available for all accounts and can be enforced by administrators
- Security headers are applied to all pages to prevent common web attacks
- Anti-forgery tokens protect all form submissions
- Role-based access controls limit data visibility to authorised staff only
- Payment card details are never stored on our servers — all card payments are processed through PCI-DSS compliant systems (Stripe and SumUp)
- Uploaded documents are stored in access-controlled containers
- API keys and sensitive configuration are stored in Azure Key Vault
- Authentication cookies are marked HttpOnly, Secure, and SameSite=Strict
9. Cookies
This platform uses only strictly necessary cookies as defined by the Privacy and Electronic Communications Regulations (PECR) 2003. No consent is required for these cookies.
| Cookie | Purpose | Duration |
|---|---|---|
| Authentication cookie | Identifies your logged-in session. Essential for the platform to function. | 8 hours (sliding expiry) |
| Anti-forgery token | Protects against cross-site request forgery attacks on form submissions. | Session |
We do not use any tracking cookies, analytics cookies, advertising cookies, or third-party tracking pixels.
10. Data Retention
We retain personal data in accordance with the following periods:
| Data | Retention Period | Reason |
|---|---|---|
| Active membership accounts | While the account remains active | Ongoing membership relationship |
| Deactivated accounts | Retained in a deactivated state | FA compliance, safeguarding audit trail, and financial record-keeping obligations |
| Identity documents and photographs | While the account exists | Player identification and FA registration requirements |
| Payment records | 6 years from transaction date | HMRC financial record-keeping requirements |
| Safeguarding records (DBS, qualifications) | Duration of involvement plus retention as required by safeguarding guidance | Child protection and safeguarding obligations |
| Audit logs (IP addresses, actions) | Retained for security purposes | Security monitoring and incident investigation |
| Pending ticket and camp orders | 48 hours | Automatically expired and cleaned up |
| Communication records | While the associated account exists | Message history and dispute resolution |
11. Your Rights Under UK GDPR
You have the following rights regarding your personal data:
- Right of access (Article 15) — request a copy of the personal data we hold about you.
- Right to rectification (Article 16) — request correction of inaccurate data. You can update most of your details directly through your account.
- Right to erasure (Article 17) — request deletion of your data, subject to our legal obligations (e.g., FA registration records, safeguarding records, and financial records).
- Right to restrict processing (Article 18) — request that we limit how we use your data in certain circumstances.
- Right to data portability (Article 20) — receive your personal data in a structured, commonly used, machine-readable format.
- Right to object (Article 21) — object to processing based on legitimate interests.
- Right to withdraw consent — where processing is based on consent, you may withdraw it at any time. For example, you can update your communication preferences in your account settings.
We do not carry out any automated decision-making or profiling as defined by Article 22 of the UK GDPR.
To exercise any of these rights, please contact us at [email protected]. We will respond to your request within one month.
12. Children's Data
As a youth football club, we process personal data of children who are registered as players or attend our camps.
- Parental or guardian consent is obtained during the registration process before any child data is collected.
- Parents and guardians manage their children's data through their own accounts on the platform.
- Children's data includes name, date of birth, medical notes, allergies, headshot photograph, and identity documents.
- Medical information is collected solely for safeguarding and emergency purposes.
- Access to children's data is restricted to authorised club staff with appropriate roles (team managers, coaches, administrators).
13. Communication Preferences
- You can opt in or out of club news and team news communications at any time through your account settings.
- Transactional communications (registration confirmations, payment receipts, security alerts, fixture notifications) are sent regardless of your preferences as they are necessary for the performance of our membership agreement with you.
14. Complaints
If you have any concerns about how we handle your personal data, please contact us first at [email protected].
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Helpline: 0303 123 1113
Website: ico.org.uk
15. Changes to This Policy
We may update this privacy policy from time to time. The "Last updated" date at the top of this page will be revised accordingly. Where we make material changes, we will notify you through the platform or by email. Your continued use of the platform after changes are published constitutes acceptance of the updated policy.
Data Controller: Ascot United Football Club
Contact: [email protected]