Everyone Plays CIC / Privacy
Plymouth Kickabouts →

Everyone Plays CIC · UK GDPR

Privacy Policy

How we collect, use, store, and protect your personal data when you interact with Everyone Plays CIC, including our trading name Plymouth Kickabouts.

Version 1.0 Effective [Insert launch date] Last reviewed [Insert date]

Who we are

Everyone Plays CIC is a Community Interest Company registered in England & Wales (company number [Insert CIC number]), with its registered office at [Insert registered address].

We trade as Plymouth Kickabouts when running grassroots football sessions in Plymouth. Both names refer to the same legal entity, which is the data controller for all personal data described in this policy.

We are registered with the Information Commissioner's Office (ICO) as a data controller under registration number [Insert ICO registration number].

What personal data we collect

We only collect the information we genuinely need to run sessions safely, keep in touch, and meet our legal obligations as a CIC.

When you register to play

  • Name, date of birth
  • Email address and mobile number
  • Emergency contact name, relationship, and number
  • Any medical conditions, medication, or accessibility needs you choose to share. We strongly encourage everyone to share anything relevant — this information is only seen by session leads and is used solely to keep you safe. If you are completing registration on behalf of someone under 18, please share any conditions or needs we should be aware of for their safety.
  • If you are under 18: your parent or guardian's name, relationship, email, mobile, and their consent record
  • A timestamped record of which consent options you agreed to, and the exact wording you saw at the time

When you attend a session

  • Your name on the attendance list for that session
  • Session fees paid (currently £5 per session, recorded in our payment records)
  • Any safeguarding or injury incident notes that involve you (rare, but retained where they exist)

When you contact us or subscribe

  • Name, email, organisation (if applicable), and the content of your message
  • Email address if you subscribe to our newsletter, plus a record that you ticked the consent box

When you donate or sponsor

  • Name, email, donation amount, and Gift Aid status, handled by our payment partner Stripe
  • We do not see or store your card or bank details. Those are processed by the payment provider directly

When you use the website

We never collect: ethnicity, religion, sexuality, immigration status, political views, or financial information beyond what's needed for a donation.

Why we collect it

Each piece of information has a specific purpose. We don't keep anything "just in case."

Why we need itWhat we use
Knowing who's coming so we can run safe sessions (registers, team balancing, pitch-side safety)Name, DOB, session attendance
Contacting you about your session (weather cancellations, pitch changes, urgent updates)Email, mobile
Responding to a medical emergency on the pitchEmergency contact, medical notes
Safeguarding: protecting players from harm, especially under-18sGuardian details, incident notes
Collecting session fees and keeping HMRC-compliant recordsPayment records
Sending the newsletter (only if you opt in)Email, consent record
Promoting sessions with photos/video (only if you opt in)Images you appear in
Tracking our social impact for fundersAnonymous, aggregated attendance numbers. Never your individual data

Our legal basis for processing

Under the UK GDPR we must tell you the "lawful basis" we're relying on for each type of processing.

Contract / necessary for the service

Your name, DOB, emergency contact, and basic attendance records. We need these to run sessions you've signed up to. You can't opt out of these and still attend.

Consent

Newsletter signups, WhatsApp group membership, photo/video use, optional wellbeing surveys. You opt in at registration and can withdraw that consent any time (see Your rights).

Legal obligation

Payment and attendance records are retained for 7 years to meet HMRC requirements. Safeguarding records may be retained longer where the law requires it.

Legitimate interests

Basic website analytics, incident logs, and our need to contact you about safety-critical changes to a session you're registered for. We've balanced this against your rights and believe it's proportionate, but you can object (see Your rights).

Who we share your data with

We are a small volunteer-run organisation and we do not sell, rent, or trade personal data to anyone, ever. We only share data where it's essential to run the service or where we're legally required to.

  • DBS-checked volunteers and trustees who run sessions. Access is limited to what they need (e.g. session leads see the register and emergency contacts; trustees see aggregate numbers)
  • Supabase: stores player registration and booking data on London region servers. PostgreSQL database with row-level security. supabase.com
  • Stripe: processes card payments for session bookings and donations. No card details are stored by us. stripe.com
  • Resend: sends transactional emails (booking confirmations, password resets, guardian consent links). resend.com
  • Cloudflare: hosts the website and serverless functions. Processes only anonymous technical request logs. cloudflare.com
  • JustGiving: optional donation platform. Only applies if you choose to donate via JustGiving. justgiving.com
  • PayPal: optional donation platform. Only applies if you choose to donate via PayPal. paypal.com
  • HMRC, the Police, or other statutory bodies: only where we are legally required to, or where there is a serious safeguarding concern.

We have written data-processing agreements in place with all of our suppliers. We never transfer your data outside the UK or EU without the legal safeguards required by the UK GDPR.

Where & how we store your data

  • All personal data is stored on UK or EU-based servers covered by UK GDPR or an equivalent standard.
  • Access is restricted to a small number of DBS-checked volunteers and trustees on a "need-to-know" basis.
  • Sensitive tables (medical notes, safeguarding records) are stored with additional access controls and are never included in routine exports or shared outside of a safeguarding context.
  • Our website uses HTTPS encryption; all form submissions are encrypted in transit.
  • We review our security and access controls at least annually.

How long we keep it

WhatHow long
Active player registration & emergency contactWhile you're an active player, plus 3 years after your last session.
Medical & accessibility notesWhile you're active; deleted within 6 months of you leaving, unless an incident means we're legally required to retain them
Payment & attendance records7 years (HMRC requirement)
Safeguarding incident recordsUp to 25 years, where required by safeguarding guidance (e.g. IICSA recommendations)
Newsletter subscriptionUntil you unsubscribe, plus a record that you opted in (for consent audit purposes)
Photo / video consentUntil you withdraw consent, or 3 years after your last session, whichever is sooner
Contact form messages2 years after the enquiry is resolved
Website analyticsUp to 14 months (anonymised, aggregated)

Your rights

You have legal rights over the data we hold about you. Exercising them is always free, and we won't penalise you for doing so.

  • Access: ask for a copy of what we hold about you (a "Subject Access Request"). We'll respond within one month.
  • Correction: ask us to fix anything inaccurate or incomplete.
  • Deletion: ask us to delete your data (except where we're legally required to keep it, e.g. HMRC records).
  • Withdraw consent: for anything you opted in to (newsletter, photos, WhatsApp, wellbeing surveys). This doesn't undo what was lawful at the time, but stops any further use.
  • Restrict processing: ask us to pause using your data while we deal with a query.
  • Object: to any processing based on legitimate interests.
  • Data portability: receive your data in a structured, machine-readable format.

To exercise any right, email privacy@everyoneplays.uk. We may ask for ID to confirm who you are before releasing data. This is for your protection.

If you're unhappy with how we've handled your data, you can complain directly to the Information Commissioner's Office at ico.org.uk or on 0303 123 1113. We'd appreciate the chance to fix things first, but you can go straight to the ICO if you prefer.

Cookies & the website

Our websites use the minimum technical cookies needed to keep the site working (remembering your theme preference, dark mode setting, and tweak toggles). These are stored only on your own device, never sent to us, and disappear when you clear your browser.

We do not use advertising cookies, third-party trackers, or analytics that identify you personally. We may use privacy-friendly, aggregated analytics (e.g. Plausible or Cloudflare's built-in request counts) to see which pages are visited, but these do not involve personal data or cookies.

External buttons (Facebook, Instagram, WhatsApp, YouTube, JustGiving, Stripe, PayPal) are simple links; they only set cookies after you click through to those services, at which point that service's own privacy policy applies.

Children & under-18s

Our Monday sessions are 18+ only. Our Thursday sessions are open to players aged 16 and over. Players aged 16 or 17 may register only with active parental or guardian consent, which is captured at registration and verified by email to the guardian's address.

We do not knowingly collect data from anyone under 16. If you are a parent or guardian and think we may hold data about a child under 16 we shouldn't, please email privacy@everyoneplays.uk and we'll delete it.

All volunteers working directly with under-18s are enhanced-DBS checked. Our full safeguarding policy is available on request.

If something goes wrong

We take data breaches seriously. If we ever discover a breach that's likely to result in a risk to your rights and freedoms, we will:

  • Notify the Information Commissioner's Office within 72 hours of becoming aware, where required by law
  • Notify you directly, without undue delay, if the risk to you is high
  • Tell you what happened, what data was involved, what we're doing about it, and what you can do to protect yourself

You can report a concern to us at any time at privacy@everyoneplays.uk.

Contact us

The easiest way to reach our Data Protection contact is by email. We aim to respond within 5 working days for general queries, and within one month for formal rights requests.

Data Protection, Everyone Plays CIC

For all questions about this policy, your personal data, or to exercise any of your rights.

Emailprivacy@everyoneplays.uk Generalhello@everyoneplays.uk PostEveryone Plays CIC, [Insert registered address], Plymouth ICOico.org.uk · 0303 123 1113

Changes to this policy

We'll update this policy when our practices change, new features are added, or the law requires it. The version number and "last reviewed" date at the top of this page show when we last made meaningful changes. Significant changes affecting how we use your data will also be notified to you directly by email (if you've registered or subscribed).