Skip to main content
Home

Privacy Policy

Last updated: 5 May 2026

1. About this policy

This policy explains how AcademyOScollects, uses, stores, and protects personal data when you use this website, register a child for coaching, or interact with our services. It is written to comply with the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (where applicable), the Data Protection Act 2018, the Privacy and Electronic Communications Regulations (PECR), and the Information Commissioner's Office (ICO) Age Appropriate Design Code (Children's Code).

We use plain English wherever possible. If anything below is unclear, please contact us at privacy@academyos.co.uk and we will explain.

2. Who is the data controller?

AcademyOS is a trading brand of FlowEdge AI Ltd ("we", "us", "our"), a company registered in England and Wales.FlowEdge AI Ltd is the data controller for the marketing website at academyos.co.uk and for any data submitted by academies, coaches, or prospective customers via this site (such as enquiry forms, demo bookings, or onboarding).

Company details:

  • Legal entity: FlowEdge AI Ltd (trading as AcademyOS)
  • Company number: 16247733
  • Incorporated: 12 February 2025
  • Registered office: 193 Cambridge Street, Aylesbury, Buckinghamshire, HP20 1BQ, United Kingdom
  • Jurisdiction: England and Wales

When an academy uses AcademyOS to run its operations (parent registrations, coaching data, payments, etc.), that academy is the data controller for its parents' and players' data, and FlowEdge AI Ltd acts as their data processor under a signed Data Processing Agreement. Each academy publishes its own privacy policy on its own subdomain (e.g. your-academy.academyos.co.uk/privacy).

Contact: privacy@academyos.co.uk for general privacy queries, or dpo@academyos.co.uk for formal data protection matters.

3. What data we collect

The personal data we may collect falls into the following categories:

3.1 Parent / guardian data

  • Full name, email address, phone number, and home address
  • Account password (hashed — we never see or store the plain text)
  • Relationship to the child and parental responsibility status
  • Marketing preferences and consent records
  • Communications with the Academy (emails, portal messages, chatbot conversations)

3.2 Child / player data

  • Full name, date of birth, age group, and gender
  • School and year group (where provided)
  • Medical information: allergies, medical conditions, medication, GP details
  • Emergency contact details
  • Attendance records, RSVPs, session participation, and player development ratings
  • Match results and performance notes recorded by coaching staff
  • Photos and video footage — only ever processed with separate, explicit parental consent

3.3 Financial data

  • Registration and payment history
  • Card details are never stored on our servers — they are handled directly by Stripe (PCI-DSS Level 1 certified). We only retain a tokenised reference and the last 4 digits for receipts and refund processing.

3.4 Technical data

  • IP address (truncated where possible) and approximate location
  • Browser type, device type, and operating system
  • Pages viewed, referrer, and timestamps (essential security & service-quality logs only)
  • Cookies — see our Cookie Policy

3.5 Special category data

Medical information about a child counts as special category data under UK GDPR Article 9. We process it only on the lawful bases of (a) explicit parental consent and (b) protection of vital interests (i.e. a medical emergency). It is encrypted at rest, accessible only to authorised coaching staff, and never used for marketing or analytics.

4. Children's data — our commitments under the ICO Children's Code

Our coaching services are designed for children. We follow the 15 standards of the ICO Age Appropriate Design Code and treat children's privacy as a fundamental, not a bolt-on. In practice this means:

  • Best interests of the child:every product decision that affects children is reviewed against the child's best interests.
  • Parental consent (UK GDPR Article 8):we only collect a child's data after a parent or legal guardian has registered an account, set a password, and verified their email address. Children do not register themselves on this platform.
  • No profiling of children:we do not build behavioural or marketing profiles of children, do not use children's data for behavioural advertising, and do not use "nudge" techniques on children.
  • No sharing for marketing:children's data is never sold, rented, or shared with third parties for marketing purposes.
  • Data minimisation: we collect only what is needed to deliver coaching safely. Optional fields are clearly marked.
  • High-privacy defaults: photo/video consent, marketing emails, and any optional features default to off until a parent actively opts in.
  • Strict access controls:a child's record is visible only to (a) the registered parent/guardian, (b) the coaching staff of the squad the child is assigned to, and (c) authorised Academy administrators. Row-Level Security on the database enforces this at the data layer, not just in the user interface.
  • No automated decisions with significant effect: any AI features (e.g. coach-facing report drafting) produce drafts only for an authorised coach to review, edit, and decide on before anything is sent or actioned.
  • Right to be forgotten:a parent can delete their account and their child's data at any time from the Parent Portal. See section 8.

We have completed a Data Protection Impact Assessment for our processing of children's data and review it annually — a summary is available on request to privacy@academyos.co.uk.

If you are a child reading this and you would like your data removed, please ask a parent or guardian to contact us — or email privacy@academyos.co.uk directly and we will help.

5. How and why we use your data (lawful bases)

Under UK GDPR Article 6 we must have a lawful basis for every use of personal data:

  • Performance of a contract — processing registrations, taking payments, scheduling sessions, and delivering coaching to a registered child.
  • Legitimate interests — running the Academy day-to-day (e.g. tracking attendance, recording match results, keeping audit logs of staff actions for accountability, fraud prevention, and basic, privacy-respecting analytics). We have carried out a Legitimate Interests Assessment for each of these and balance them against your rights — you may object at any time.
  • Consent — for marketing emails, publishing photos or videos of children, and for any non-essential cookies. Consent can be withdrawn at any time without affecting the lawfulness of processing carried out before withdrawal.
  • Legal obligation — keeping financial records for HMRC (6 years), responding to court orders or police requests, fulfilling safeguarding duties under the Children Act 1989/2004 and Working Together to Safeguard Children.
  • Vital interests— accessing medical/emergency contact information to protect a child's life or health in an emergency.
  • Explicit consent (special category data) — processing medical information about your child is on the basis of your explicit consent (Article 9(2)(a)) and protection of vital interests (Article 9(2)(c)).

6. Who has access to your data

Strictly multi-tenant isolation. AcademyOS is a multi-tenant platform — many academies use the same underlying technology — but every record is tagged with the academy that owns it (org_id) and database-level Row-Level Security ensures that no academy can ever see another academy's data, even by accident or via a software bug. Parents see only their own children. Coaches see only the squads they coach. Academy administrators see only their own academy.

Within the Academy, the following people can access personal data on a need-to-know basis:

  • The parent/guardian who registered the account (their own record + their children's)
  • The Academy's head coach and team coaches (the squads they are assigned to)
  • The Academy's administrators (operational and financial data)
  • A small number of authorised AcademyOS engineers, only when required to provide technical support, fix a bug, or investigate a security incident — every such access is audit-logged.

7. Sub-processors and third parties

AcademyOS uses the following carefully selected sub-processors. Each is GDPR-compliant, has a signed Data Processing Agreement with AcademyOS, and is bound by the Standard Contractual Clauses where any data transfer leaves the UK/EEA:

ProviderPurposeRegion
SupabaseDatabase, authentication, file storageEU (Frankfurt)
VercelWebsite & application hosting, edge deliveryEU / Global edge
CloudflareDNS, DDoS protection, R2 image storageEU / Global edge
StripePayment processing & fraud prevention (PCI-DSS Level 1)UK / EU / US (SCCs)
ResendTransactional email deliveryEU / US (SCCs)
Anthropic (Claude AI)Coach-facing draft generation (end-of-season reports, parent email drafts, session notes) and a parent-facing chatbot. AI-drafted emails are reviewed by a coach before sending; chatbot responses are generated without personal data in the prompts and never used for marketing or automated decision-making. Inputs are notused to train Anthropic's models and are retained by Anthropic for 30 days (Commercial Terms standard) before deletion, under the Anthropic Commercial Terms (DPA + UK GDPR Addendum auto-applied). AI-drafted emails carry a footer noting AI assistance was used. Parents can opt out of AI processing entirely from /portal/profile.US (SCCs + UK Addendum)
SentryError monitoring and performance telemetry to keep the platform running. Receives error stack traces and request metadata; personal identifiers (email, name, IP) are stripped before transmission via a server-side scrubber. No coach- or parent-typed content is sent. Used for diagnostics only — never marketing or analytics.US (SCCs + UK Addendum)

For the canonical and complete list of sub-processors (including those that process no live personal data), see our Sub-processors page.

We may also disclose personal data where legally required (e.g. to HMRC, the police, or in response to a valid court order), or where disclosure is necessary to safeguard a child.

We do not sell personal data, and we do not share children's data with advertising networks, data brokers, or any third party for marketing purposes.

8. Your rights under UK GDPR

You have the following rights in relation to your personal data and your child's data:

  • Access — request a copy of all data we hold about you and your child.
  • Rectification — ask us to correct inaccurate or incomplete data.
  • Erasure ("right to be forgotten") — ask us to delete your data, subject to limited legal exceptions (see retention).
  • Restriction — ask us to pause processing while a query is resolved.
  • Portability — receive your data in a machine-readable (JSON) format you can take elsewhere.
  • Object — object to processing based on legitimate interests, or to direct marketing at any time.
  • Withdraw consent — for any consent-based processing, without affecting the lawfulness of prior processing.
  • Not be subject to automated decisions — we do not make solely automated decisions that have a significant effect on you or your child.

The fastest way to exercise the access, portability, and erasure rights is from your Parent Portal profile — both Export My Data and Delete My Account are self-service. Otherwise, email us at privacy@academyos.co.uk and we will respond within one calendar month, as required by UK GDPR Article 12(3).

We will ask you to verify your identity before disclosing or deleting personal data, to protect against fraudulent requests.

9. How long we keep your data

We keep personal data only for as long as is necessary for the purpose it was collected:

Type of dataRetention period
Active player & parent recordsWhile registered + 2 years after leaving
Medical & safeguarding informationDeleted within 30 days of the player leaving (unless an active safeguarding matter requires longer)
Financial & payment records6 years after the end of the relevant tax year (HMRC requirement)
Enquiry / lead data (no registration)12 months after last contact, then deleted
Marketing email preferencesUntil you unsubscribe — your preference is honoured for as long as your account exists. If you delete your account, your data including this preference is removed; if you later sign up again, marketing is opt-in by default.
Audit logs (staff actions)2 years
Photos & videos of childrenDeleted on consent withdrawal or when the child leaves, whichever is sooner
Server & security logsUp to 90 days, depending on platform plan tier (currently 30 days on Vercel Pro)

When the retention period ends, data is either permanently deleted or irreversibly anonymised (so that it can no longer be linked back to a person).

10. Security

We take a defence-in-depth approach to security. Technical and organisational measures in place include:

  • HTTPS / TLS 1.2+ encryption on all connections (HSTS preloaded)
  • Per-academy Row-Level Security — every database row is org-scoped; no SQL query can leak data across academies even in the event of an application bug
  • Encryption at rest (AES-256) for the database and all uploaded files
  • Passwords stored as one-way salted hashes (we never see your plaintext password)
  • Rate limiting, CSRF protection, and bot/honeypot defences on all public forms
  • Strict Content Security Policy and security headers (HSTS, X-Frame-Options, X-Content-Type-Options)
  • Audit logging of staff actions (every read/write to a sensitive record is logged)
  • Two-factor authentication is on our roadmap for coaching staff, with implementation targeted for 31 May 2026
  • Quarterly access reviews and least-privilege principles for engineering staff
  • Regular automated and manual security testing; responsible disclosure programme

Despite our best efforts, no method of transmission or storage is 100% secure. If we ever become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and notify affected individuals without undue delay, as required by UK GDPR Articles 33 and 34.

11. International transfers

Your data is primarily stored on EU-based servers (Supabase, Frankfurt). Some sub-processors (Stripe, Resend, Anthropic, Sentry) may process limited operational data in the United States. Where data leaves the UK / EEA, transfers are protected by the UK-US Data Bridge (in force since 12 October 2023) for certified US recipients, with the UK Addendum to EU Standard Contractual Clauses as a fallback mechanism, plus supplementary measures including encryption in transit and at rest.

12. Cookies & analytics

We use a small number of strictly necessary cookies to keep you signed in and to protect against fraud. Analytics and any non-essential cookies are only set if you give consent via the cookie banner. Full details, including cookie names and durations, are in our Cookie Policy.

13. Marketing communications

We will only send marketing emails (e.g. news of upcoming camps, offers, or events) where you have actively opted in. Every marketing email contains a one-click unsubscribe link, and you can also manage your preferences from your Parent Portal at any time. We never use children's data for marketing.

14. Changes to this policy

We may update this policy from time to time to reflect changes in the law or our services. The "Last updated" date at the top will always reflect the most recent revision. Material changes will be notified by email or via a banner on the Parent Portal at least 14 days before they take effect.

15. Complaints

If you have a concern about how we handle your or your child's data, please contact us first at privacy@academyos.co.uk — we take every concern seriously and will work with you to resolve it. You also have the right at any time to lodge a complaint with the UK Information Commissioner's Office (ICO):

  • Website: ico.org.uk/make-a-complaint
  • Helpline: 0303 123 1113
  • Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

16. Contact us

For any privacy-related question, request, or concern: