Privacy Policy

This system is operated by the martial arts club ("the Club") that invited you to enrol. The Club is the data controller responsible for your personal data under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

If you have questions about how your data is used, or wish to exercise your rights, contact the Club directly using the email address provided at enrolment.

• Student identity: name, date of birth, gender, nationality, membership number
• Contact details: email, mobile number, home address
• Guardian/emergency contact: name, relationship, phone number
• Health and medical information (for safe participation and accident reporting)
• Photo/video consent preferences
• Attendance, grading history, belt progression, and syllabus scores
• Payment and invoice records (card details are handled by our payment processor and never stored by us)
• Accident/incident reports and uploaded documents
• Communication history (emails and messages)
• Insurance status and renewal records

We process personal data under the following lawful bases (UK GDPR Article 6):

• Legitimate interests — managing club membership, attendance, grading, safety, and communications necessary for running the club.
• Consent — for photo/video use, marketing communications, and any optional data processing. You may withdraw consent at any time.
• Legal obligation — for accident reporting and insurance compliance.
• Contract performance — for processing payments and managing membership plans.

Where we process health or medical information, we do so with your explicit consent or where necessary to protect vital interests (e.g. during an accident).

Many of our members are under 18. We process children's data with the knowledge and consent of their parent or guardian. Parental consent is obtained during the enrolment process. Parents or guardians may exercise data rights on behalf of their child at any time.

• Managing your membership, attendance, and progression
• Sending class reminders, event invitations, and club communications
• Processing payments and generating invoices
• Recording and reporting accidents/incidents as required by law
• Tracking grading results and belt progression
• Assisting with written communications (personal data is always redacted before processing)

We use trusted third-party service providers ("processors") in the following categories to operate this system:

• Cloud database and authentication provider
• Application hosting provider
• Payment processor (PCI DSS compliant — card details are never stored by us)
• Email delivery service
• Messaging platform (if enabled by the Club)
• Security infrastructure (rate limiting and abuse prevention)

All processors are contractually bound to process data only on our instructions and in accordance with UK GDPR. We do not sell personal data to any third party. A full list of named processors is available on request by contacting the Club.

• Active member data is retained for the duration of membership
• Communication history is deleted after 2 years
• Attendance records are deleted after 7 years
• Leaver records are flagged for review after 3 years of inactivity and may be permanently deleted at the Club's discretion
• Accident reports are retained as required by insurance and legal obligations
• Consent records are retained as evidence of lawful processing

Your rights under UK GDPR are not affected by this system. You retain the right to access, correct, delete, restrict, or export your personal data, and to withdraw consent at any time. To exercise any of these rights, contact the Club using the email address provided at enrolment. We will respond within 30 days.

We take appropriate technical and organisational measures to protect your personal data. All connections are encrypted, data is encrypted at rest, and access is restricted to authorised staff only. Sensitive files are stored privately with time-limited access.

We may update this policy from time to time. The "Last updated" date at the top of this page will be changed accordingly. Continued use of the system after changes constitutes acceptance of the updated policy.