Privacy Policy

1. Who we are

AcademyOS ("we", "us", "our") is a youth football academy based in Buckinghamshire. We are the data controller responsible for the personal data we collect through this website and our services.

[CLIENT TO ADD: registered address, company number if applicable, data protection officer contact details, ICO registration number]

2. What data we collect

We collect and process the following personal data:

• Parent/guardian name, email address, phone number, and postal address
• Child's name, date of birth, gender, and medical information (allergies, conditions, GP details)
• Emergency contact details
• Registration and payment information
• Attendance records and player performance data
• Photos and videos (with explicit consent)
• Website usage data (cookies, analytics)
• Enquiry form submissions and chatbot conversations

3. Children's data

Our services involve processing personal data of children (minors under 18). We take additional care with children's data in line with GDPR Article 8 and the ICO's Age Appropriate Design Code:

• We only collect children's data with verifiable parental/guardian consent
• Children's data is only accessible to authorised coaching staff and the child's registered parent/guardian
• We do not share children's data with third parties for marketing purposes
• Medical data is stored securely and only shared with emergency services when necessary
• Parents/guardians can request access to, correction of, or deletion of their child's data at any time

4. How we use your data

We process personal data for the following purposes:

• Legitimate interest: managing academy operations, scheduling sessions, tracking attendance and player development
• Contract performance: processing registrations and payments
• Consent: sending marketing emails, publishing photos/videos, analytics cookies
• Legal obligation: safeguarding duties, financial records

5. Who we share data with

We share personal data only with the following processors:

• Supabase (EU) — database hosting and authentication
• Stripe — payment processing
• Resend — transactional emails
• Vercel — website hosting

All processors are GDPR-compliant and have appropriate Data Processing Agreements in place. [CLIENT TO VERIFY AND ADD ANY ADDITIONAL PROCESSORS]

6. Data retention

[CLIENT TO ADD: specific retention periods, e.g.]

• Active player records: retained while registered, plus [X] years after leaving
• Financial records: 6 years (HMRC requirement)
• Enquiry/lead data: [X] months after last contact
• Audit logs: [X] years

7. Your rights

Under GDPR, you have the right to:

• Access — request a copy of all data we hold about you and your child
• Rectification — request correction of inaccurate data
• Erasure — request deletion of your data ("right to be forgotten")
• Restriction — request we limit how we use your data
• Portability — receive your data in a machine-readable format
• Object — object to processing based on legitimate interest or for marketing
• Withdraw consent — at any time, for any consent-based processing

To exercise any of these rights, use the data export and account deletion features in your Parent Portal profile, or contact us at privacy@academyos.co.uk.

8. Security

We implement appropriate technical and organisational measures to protect personal data, including:

• Row-Level Security (RLS) ensuring parents can only access their own data
• HTTPS encryption on all connections
• Rate limiting and CSRF protection on all API endpoints
• Audit logging of all data access and changes by staff
• Two-factor authentication for coaching staff
• Security headers (CSP, HSTS, X-Frame-Options)

9. Cookies

For details on our use of cookies, please see our Cookie Policy.

10. Complaints

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

• Website: ico.org.uk
• Phone: 0303 123 1113