Everyone Plays CIC / Privacy
Plymouth Kickabouts →

Everyone Plays CIC · UK GDPR

Privacy Policy

How we collect, use, store, and protect your personal data when you interact with Everyone Plays CIC, including our trading name Plymouth Kickabouts.

Version 1.2 Effective [Insert launch date] Last reviewed May 2026

Who we are

Everyone Plays CIC is a Community Interest Company registered in England & Wales (company number 17281597), incorporated 18 June 2025, with its registered office at 9 Venn Court, Plymouth, PL3 5NS.

We trade as Plymouth Kickabouts when running grassroots football sessions in Plymouth. Both names refer to the same legal entity, which is the data controller for all personal data described in this policy.

We are registered with the Information Commissioner's Office (ICO) as a data controller under registration number [Insert ICO registration number].

What personal data we collect

We only collect the information we genuinely need to run sessions safely, keep in touch, and meet our legal obligations as a CIC.

When you register to play

  • Name, date of birth
  • Preferred name (optional). Used in session communications and on team sheets shared with other players booked for the same session. See Why we collect it below for the team sheet disclosure.
  • Email address and mobile number
  • Emergency contact name, relationship, and number
  • Any medical conditions, medication, or accessibility needs you choose to share. We strongly encourage everyone to share anything relevant. This information is only seen by session leads and is used solely to keep you safe. If you are completing registration on behalf of someone under 18, please share any conditions or needs we should be aware of for their safety.
  • If you are under 18: your parent or guardian's name, relationship, email, mobile, and their consent record
  • A timestamped record of which consent options you agreed to, and the exact wording you saw at the time
  • Match statistics (appearances, results, goals and assists in Next Goal Wins, Player of the Match placements, clean sheets) recorded after each session you attend. These are linked to your anonymous player number, not your name.

If you join a waitlist for a future product (such as the Unlimited membership tier or the community lottery), we store your email address and the product you expressed interest in. No other data is collected at that point.

When you attend a session

  • Your name on the attendance list for that session
  • Session fees paid (currently £5 per session, recorded in our payment records)
  • Any safeguarding or injury incident notes that involve you (rare, but retained where they exist)

When you contact us or subscribe

  • Name, email, organisation (if applicable), and the content of your message
  • Email address if you subscribe to our newsletter, plus a record that you submitted your email via our subscribe form.

When you donate or sponsor

  • Name, email, donation amount, and Gift Aid status, handled by our payment partner Stripe
  • We do not see or store your card or bank details. Those are processed by the payment provider directly

When you use the website

We never collect: ethnicity, religion, sexuality, immigration status, political views, or financial information beyond what's needed for a donation.

Why we collect it

Each piece of information has a specific purpose. We don't keep anything "just in case."

Why we need itWhat we use
Knowing who's coming so we can run safe sessions (registers, team balancing, pitch-side safety)Name, DOB, session attendance
Contacting you about your session (weather cancellations, pitch changes, urgent updates)Email, mobile
Responding to a medical emergency on the pitchEmergency contact, medical notes
Safeguarding: protecting players from harm, especially under-18sGuardian details, incident notes
Collecting session fees and keeping HMRC-compliant recordsPayment records
Sending the newsletter (only if you opt in)Email, consent record
Promoting sessions with photos/video (only if you opt in)Images you appear in
Tracking our social impact for fundersAnonymous, aggregated attendance numbers. Never your individual data
Running the Plymouth Kickabouts fantasy leaderboard and tracking session performanceMatch statistics linked to anonymous player number only. Name never used.

Team sheets shared with other players in your session

When a team sheet is confirmed for a session, your preferred name (or full name if no preferred name is set) is included in a team sheet email sent to all other players booked for the same session. This is limited to players who have a confirmed paid booking for that session. If you prefer not to use your real name, you can set a pseudonym as your preferred name on your Plymouth Kickabouts profile page at any time. Preferred names must be appropriate; the club reserves the right to ask you to change a preferred name, or to reset it, if it is unsuitable.

Our legal basis for processing

Under the UK GDPR we must tell you the "lawful basis" we're relying on for each type of processing.

Contract / necessary for the service

Your name, DOB, emergency contact, and basic attendance records. We need these to run sessions you've signed up to. You can't opt out of these and still attend.

Consent

Newsletter signups, WhatsApp group membership, photo/video use, optional wellbeing surveys. You opt in at registration and can withdraw that consent any time (see Your rights).

Match statistics recording and leaderboard participation (explicit consent at registration). Club communications by email including session reminders and booking alerts (consent at registration or via profile page). Last-minute session cancellation alerts (consent at registration or via profile page). WhatsApp Community membership (consent at registration for adults; guardian consent at registration for under-18s).

Booking confirmations, payment receipts, safety alerts, and guardian-consent emails are sent on the basis of contract or legal obligation and do not require a separate marketing consent. All other email communications require explicit opt-in consent.

Legal obligation

Payment and attendance records are retained for 7 years to meet HMRC requirements. Safeguarding records may be retained longer where the law requires it.

Legitimate interests

Basic website analytics, incident logs, and our need to contact you about safety-critical changes to a session you're registered for. We've balanced this against your rights and believe it's proportionate, but you can object (see Your rights).

How we use anonymised data

To win funding and show the difference our sessions make, we report on our impact to grant funders and in our CIC annual reports. We only ever use anonymised, aggregated figures for this, for example the total number of sessions delivered, broad age ranges, and the postcode districts we reach. Your name and individual records are never included, and the numbers are grouped so that no single person can be identified. Because this information no longer identifies anyone, we rely on our legitimate interest in demonstrating our community impact rather than asking for your consent. If you'd still prefer your attendance not to be counted even in anonymised totals, just let us know (see Your rights) and we'll exclude it.

Who we share your data with

We are a small volunteer-run organisation and we do not sell, rent, or trade personal data to anyone, ever. We only share data where it's essential to run the service or where we're legally required to.

  • DBS-checked volunteers and trustees who run sessions. Access is limited to what they need (e.g. session leads see the register and emergency contacts; trustees see aggregate numbers)
  • Supabase: stores player registration and booking data on London region servers. PostgreSQL database with row-level security. supabase.com
  • Stripe: processes card payments for session bookings and donations. No card details are stored by us. stripe.com
  • Resend: sends transactional emails (booking confirmations, password resets, guardian consent links). resend.com
  • Cloudflare: hosts the website and serverless functions. Processes only anonymous technical request logs. cloudflare.com
  • JustGiving: optional donation platform. Only applies if you choose to donate via JustGiving. justgiving.com
  • PayPal: optional donation platform. Only applies if you choose to donate via PayPal. paypal.com
  • GoCardless: processes direct debit mandates for Regular membership and Community Supporter recurring donations. Mandate data stored securely under FCA regulation. gocardless.com
  • HMRC, the Police, or other statutory bodies: only where we are legally required to, or where there is a serious safeguarding concern.

We have written data-processing agreements in place with all of our suppliers. We never transfer your data outside the UK or EU without the legal safeguards required by the UK GDPR.

Where & how we store your data

  • All personal data is stored on UK or EU-based servers covered by UK GDPR or an equivalent standard.
  • Access is restricted to a small number of DBS-checked volunteers and trustees on a "need-to-know" basis.
  • Sensitive tables (medical notes, safeguarding records) are stored with additional access controls and are never included in routine exports or shared outside of a safeguarding context.
  • Our website uses HTTPS encryption; all form submissions are encrypted in transit.
  • We review our security and access controls at least annually.

How long we keep it

WhatHow long
Active player registration & emergency contactWhile you're an active player, plus 3 years after your last session.
Medical & accessibility notesWhile you're active; deleted within 6 months of you leaving, unless an incident means we're legally required to retain them
Payment & attendance records7 years (HMRC requirement)
Safeguarding incident recordsUp to 25 years, where required by safeguarding guidance (e.g. IICSA recommendations)
Newsletter subscriptionUntil you unsubscribe, plus a record that you opted in (for consent audit purposes)
Photo / video consentUntil you withdraw consent, or 3 years after your last session, whichever is sooner
Contact form messages2 years after the enquiry is resolved
Website analyticsUp to 14 months (anonymised, aggregated)
Match statistics and leaderboard dataDuration of active participation plus 2 years, then anonymised. Your player number is permanent but is never linked to your name in any public record.
Waitlist email addressesUntil the relevant product launches and notification is sent, then deleted within 30 days. If the product does not launch within 12 months, deleted at that point.

Your rights

You have legal rights over the data we hold about you. Exercising them is always free, and we won't penalise you for doing so.

  • Access: ask for a copy of what we hold about you (a "Subject Access Request"). We'll respond within one month.
  • Correction: ask us to fix anything inaccurate or incomplete.
  • Deletion: ask us to delete your data (except where we're legally required to keep it, e.g. HMRC records).
  • Withdraw consent: for anything you opted in to (newsletter, photos, WhatsApp, wellbeing surveys, leaderboard appearance (via your profile page at any time)). This doesn't undo what was lawful at the time, but stops any further use.
  • Restrict processing: ask us to pause using your data while we deal with a query.
  • Object: to any processing based on legitimate interests.
  • Data portability: receive your data in a structured, machine-readable format.

To exercise any right, email [email protected]. We may ask for ID to confirm who you are before releasing data. This is for your protection.

If you're unhappy with how we've handled your data, you can complain directly to the Information Commissioner's Office at ico.org.uk or on 0303 123 1113. We'd appreciate the chance to fix things first, but you can go straight to the ICO if you prefer.

Cookies & the website

Our websites use the minimum technical cookies needed to keep the site working (remembering your theme preference, dark mode setting, and tweak toggles). These are stored only on your own device, never sent to us, and disappear when you clear your browser.

We do not use advertising cookies, third-party trackers, or analytics that identify you personally. We may use privacy-friendly, aggregated analytics (e.g. Plausible or Cloudflare's built-in request counts) to see which pages are visited, but these do not involve personal data or cookies.

External buttons (Facebook, Instagram, WhatsApp, YouTube, JustGiving, Stripe, PayPal) are simple links; they only set cookies after you click through to those services, at which point that service's own privacy policy applies.

Children & under-18s

Our Monday sessions are 18+ only. Our Thursday sessions are open to players aged 16 and over. Players aged 16 or 17 may register only with active parental or guardian consent, which is captured at registration and verified by email to the guardian's address.

We do not knowingly collect data from anyone under 16. If you are a parent or guardian and think we may hold data about a child under 16 we shouldn't, please email [email protected] and we'll delete it.

All volunteers working directly with under-18s are enhanced-DBS checked. Our full safeguarding policy is available on request.

Match statistics are recorded for all players including those aged 16 and 17. Each player is assigned a permanent anonymous player number which is their identity on the public fantasy leaderboard. The player's name never appears publicly. Appearance on the leaderboard is controlled by the opt-in toggle on the player's profile page. For players aged 16 and 17, the guardian's consent at registration covers stats recording. Leaderboard opt-in for players aged 16 and 17 should be managed with the guardian's awareness.

Fantasy leaderboard and player numbers

Every registered player is assigned a permanent anonymous player number (for example, Player 047). This number is your identity on the public fantasy leaderboard. Your name is never associated with your player number in any public communication or record.

The leaderboard displays only player numbers alongside session statistics. Your row appears publicly only once you are a Regular or Unlimited member and you have opted in, and both are required. You can opt out at any time from your profile page, which removes your row from the public table immediately. If you play on a pay-as-you-go basis, your statistics are still recorded internally for session management and impact reporting, but are never shown on the public leaderboard until you become a member and opt in.

If something goes wrong

We take data breaches seriously. If we ever discover a breach that's likely to result in a risk to your rights and freedoms, we will:

  • Notify the Information Commissioner's Office within 72 hours of becoming aware, where required by law
  • Notify you directly, without undue delay, if the risk to you is high
  • Tell you what happened, what data was involved, what we're doing about it, and what you can do to protect yourself

You can report a concern to us at any time at [email protected].

Contact us

The easiest way to reach our Data Protection contact is by email. We aim to respond within 5 working days for general queries, and within one month for formal rights requests.

Data Protection, Everyone Plays CIC

For all questions about this policy, your personal data, or to exercise any of your rights.

Email[email protected] General[email protected] PostEveryone Plays CIC, [Insert registered address], Plymouth ICOico.org.uk · 0303 123 1113

Changes to this policy

We'll update this policy when our practices change, new features are added, or the law requires it. The version number and "last reviewed" date at the top of this page show when we last made meaningful changes. Significant changes affecting how we use your data will also be notified to you directly by email (if you've registered or subscribed).