Data Protection Policy

Effective Date:

This Data Protection Policy outlines how Gymnastify ("we", "us", "our") collects, processes, stores, and protects personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Scope

This policy applies to all personal data collected and processed by Gymnastify through our software-as-a-service (SaaS) platform used by clubs, coaches, administrators, parents, and athletes, including children under the age of 13.

2. Our Role

Gymnastify acts as a Data Processor on behalf of clubs and organisations who are the Data Controllers. We also act as a Data Controller for data we collect directly (e.g. admin accounts, billing information).

3. Lawful Basis for Processing

We process personal data under the following lawful bases:

  • Consent (for example, parent/guardian consent for children’s data)
  • Contractual necessity (to provide our platform and services)
  • Legal obligation (compliance with UK law)
  • Legitimate interests (platform security, service improvement)

4. Types of Data We Process

  • Identification details (name, date of birth, email address)
  • Club records (attendance, class history, notes)
  • Billing and transaction information
  • Guardian and emergency contact information
  • Technical data (IP address, browser type, device identifiers)

5. Children’s Data

We process children’s data only as entered by verified adult users (e.g. club admins, parents) with appropriate consent. Our platform is designed to meet the standards of the ICO's Age Appropriate Design Code (Children’s Code).

6. Data Security

We implement appropriate technical and organisational measures including:

  • Encrypted transmission (HTTPS, TLS)
  • Role-based access control (RBAC)
  • Regular vulnerability testing
  • Data minimisation and secure storage

7. Data Retention

Data is retained only as long as necessary for the purpose it was collected. Upon termination of service, we offer secure deletion or export of customer data upon request.

8. Data Subject Rights

Data subjects (including children, through a parent/guardian) have rights under UK GDPR, including:

  • Right to access and rectification
  • Right to erasure ("right to be forgotten")
  • Right to restrict or object to processing
  • Right to data portability

Requests can be submitted to us at info@gymnastify.co.uk. We respond within one month.

9. Data Sharing

We do not sell personal data. We may share data with:

  • Trusted third parties (e.g. Stripe for payments)
  • Legal or regulatory bodies if required by law

10. Data Breach Notification

In the event of a personal data breach, we will notify affected parties and the ICO within 72 hours where required by law.

11. Contact & Complaints

If you have concerns about how your data is handled, contact us at info@gymnastify.co.uk. You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk.