Skip to main content

Data Protection Policy

Welcome to the ClubRight Ltd Data Protection Policy. We are committed to protecting and respecting your privacy.

ClubRight Ltd, with a registered office at Unit 4 Radford Business Park, Radford Way, Billericay, England, CM12 0DP, takes the privacy rights of the users of ClubRight Ltd platforms (which we collectively refer to in this privacy policy as the “Services”), internet and mobile access application based services and websites seriously, ensuring the security of your personal data. You can reach us at enquiries@clubright.co.uk for any enquiries related to data protection.

We are the data controller and we will process your personal data in accordance with the Data Protection Act 2018, the Privacy and Electronic Communications 2003 and the General Data Protection Regulation which applies across the European Union and the United Kingdom and national laws which relation to the processing of personal data.

Please note that we do not own any of the personal data hosted by our platforms. Clubs who are utilising the Services are responsible for the security of any personal data collected therein.

ClubRight Ltd is proud to hold Cyber Essentials accreditation, demonstrating our commitment to protecting against cyber threats and ensuring the security of your personal data.

1. Introduction

  1. This Data Protection Policy sets out how Clubright Ltd (“we”, “our”, “us”, “the Company”) handle the Personal Data when you use any of our Services as a user with a registered account of the platform, when you visit our sites, or use our mobile apps, or provide information to us in any other way.
  2. Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it.
  3. Where we process the data of a registered user, a user of our sites or someone who provides information about themselves directly to us, we will be the data controller. Unregistered users are individuals whose details we may process, as a data-processor, on behalf of the Registered User. This policy explains how we collect and why we process data as a data controller.

2. Your Data

  1. For the purposes of this data protection policy, “Your Data” means any information about you from which you are personally identifiable, including your name, age, address, role at a club, email address and mobile telephone number and timestamps.
    Please note that we do not have access or control of the username and password of any user.
  2. We may create de-identified or anonymous data from personal data by excluding data components (such as your name, email address, or linkable tracking ID) that makes the data personally identifiable to you. Our use of anonymised and de-identified data is not subject to this data protection policy.
  3. The Clubs own all personal information collected through our platforms and are responsible for its security and compliance with applicable laws.
  4. ClubRight Ltd provides the technology and infrastructure necessary for Clubs to manage their data subject to compliance with the usual authorised uses of the infrastructure in its provided form.
  5. We recognise that the correct and lawful treatment of Personal Data will maintain trust and confidence in the organisation and will provide for successful business operations. Protecting the confidentiality and integrity of Personal Data is a critical responsibility that we take seriously at all times. The Company is exposed to potential fines of up to £17.5 million or 4% of total worldwide annual turnover, whichever is higher and depending on the breach, for failure to comply with the UK GDPR.
  6. The DPO is responsible for overseeing this Data Protection Policy and, as applicable, developing related policies and privacy guidelines. That post is held by Wayne Health, and they can be reached at enquiries@clubright.co.uk
  7. Please contact the DPO with any questions about the operation of this Data Protection Policy or the UK GDPR or if you have any concerns that this Data Protection Policy is not being or has not been followed.

3. How we collect your data

  1. We may collect and process Your Data in the following circumstances:
    • When you utilise our software applications.
    • When you register for an account or interact with our Services.
    • When you provide Your Data via online forms or other communications.
    • When you report a problem or make an enquiry.
    • When you participate in our surveys.

4. How we use your information

  1. We use Your Data to perform our contract with you and provide our Services, including:
    • Processing your registration and fulfilling orders.
    • Providing you with requested information or services.
    • Notifying you about changes to our Services.
  2. We may use Your Data for marketing purposes with your consent or where permitted by applicable laws.

5. Personal data protection principles

  1. We adhere to the principles relating to Processing of Personal Data set out in the UK GDPR which require Personal Data to be:
    • Processed lawfully, fairly and in a transparent manner (lawfulness, fairness and transparency);
    • collected only for specified, explicit and legitimate purposes (purpose limitation);
    • adequate, relevant and limited to what is necessary in relation to the purposes for which it is Processed (data minimisation);
    • accurate and where necessary kept up to date, subject to the accuracy of information provided (accuracy);
    • not kept in a form which permits identification of Data Subjects for longer than is necessary for the purposes for which the data is Processed (storage limitation);
    • Processed in a manner that ensures its security using appropriate technical and organisational measures to protect against unauthorised or unlawful Processing and against accidental loss, destruction or damage (security, integrity and confidentiality);
    • not transferred to another country without appropriate safeguards in place (transfer limitation); and
    • made available to Data Subjects and allow Data Subjects to exercise certain rights in relation to their Personal Data (data subject’s rights and requests).
  2. The Clubs utilising the Services to host their membership management software (CRM) and collect information through our platforms are responsible for its security and compliance with applicable laws and the data protection principles listed above and with the security of its own internal network.

6. Purpose limitation

  1. Personal Data must be collected only for specified, explicit and legitimate purposes. It must not be further Processed in any manner incompatible with those purposes.

7. Accuracy

  1. Personal Data must be accurate and, where necessary, kept up to date. It must be corrected or deleted without delay when inaccurate.

8. Storage limitation

  1. Personal Data must not be kept in an identifiable form for longer than is necessary for the purposes for which the data is processed.

9. Security integrity and confidentiality

  1. Personal Data must be secured by appropriate technical and organisational measures against unauthorised or unlawful Processing, and against accidental loss, destruction or damage.
  2. We are dedicated to maintaining data security by protecting the confidentiality, integrity and availability of the Personal Data, defined as follows:
    • Confidentiality: only people who have a need to know and are authorised to use the Personal Data can access it;
    • Integrity: Personal Data is accurate and suitable for the purpose for which it is processed; and
    • Availability: authorised users are able to access the Personal Data when they need it for authorised purposes.
  3. The Clubs must maintain the data security of their own platforms and data collection.

10. Reporting a Personal Data Breach

  1. The UK GDPR requires Controllers to notify any Personal Data Breach to the Information Commissioner and, in certain instances, the Data Subject.
  2. If you know or suspect that a Personal Data Breach has occurred, please immediately contact the person or team designated within the Club as the key point of contact for Personal Data Breaches, and our DPO. You should preserve all evidence relating to the potential Personal Data Breach.

11. Transfer limitation

  1. The UK GDPR restricts data transfers to countries outside the UK to ensure that the level of data protection afforded to individuals by the UK GDPR is not undermined.

12. Data Subject’s rights and requests

  1. A Data Subject has rights when it comes to how we handle their Personal Data. These include rights to:
    • withdraw Consent to Processing at any time;
    • receive certain information about the Controller’s Processing activities;
    • request access to their Personal Data that we hold (including receiving a copy of their Personal Data);
    • prevent our use of their Personal Data for direct marketing purposes;
    • ask us, or act unilaterally, to erase Personal Data if it is no longer necessary in relation to the purposes for which it was collected or Processed or to rectify inaccurate data or to complete incomplete data;
    • restrict Processing in specific circumstances;
    • object to Processing which has been justified on the basis of our legitimate interests or in the public interest;
    • request a copy of an agreement under which Personal Data is transferred outside of the UK;
    • object to decisions based solely on Automated Processing, including profiling (ADM);
    • prevent Processing that is likely to cause damage or distress to the Data Subject or anyone else;
    • be notified of a Personal Data Breach which is likely to result in high risk to their rights and freedoms;
    • make a complaint to the supervisory authority; and
    • in limited circumstances, receive or ask for their Personal Data to be transferred to a third party in a structured, commonly used and machine-readable format.

13. Record keeping

  1. The UK GDPR requires us to keep full and accurate records of all our data Processing activities.

14. Sharing Personal Data

  1. Generally, we are not allowed to share Personal Data with third parties unless certain safeguards and contractual arrangements have been put in place.
  2. We may only share the Personal Data we hold with third parties, such as our service providers, if:
    • they have a need to know the information for the purposes of providing the contracted services;
    • sharing the Personal Data complies with the Privacy Notice provided to the Data Subject and, if required, the Data Subject’s Consent has been obtained;
    • the third party has agreed to comply with the required data security standards, policies and procedures, and put adequate security measures in place;
    • the transfer complies with any applicable cross-border transfer restrictions; and
    • a fully executed written contract that contains UK GDPR-approved third party clauses has been obtained.

15. Changes to this Data Protection Policy

  1. We keep this Data Protection Policy under regular review. This version was last updated in November 2024.
  2. This Data Protection Policy does not override any applicable national data privacy laws and regulations in countries where the Company operates.