Privacy Policy

Effective Date: April 2026 · Version 1.0 · Last Updated: April 2026

Important: This Privacy Policy explains how Megan Clare Bassett trading as ClubHQ ("we", "us", "our") collects, uses, stores, shares, and protects personal data in connection with the ClubHQ website at clubhq.uk and, when launched, the ClubHQ sports club management platform and mobile application (together, the "Service").

This policy is written to be transparent about what we collect now (pre-launch, website only) and what we will collect when the full platform launches. We are committed to processing your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Who We Are

Megan Clare Bassett trading as ClubHQ is the data controller responsible for personal data collected through clubhq.uk and the ClubHQ Service. This means we determine the purposes for which, and the means by which, your personal data is processed.

We are awaiting approval from the Information Commissioner's Office (ICO) and therefore are not currently collecting any data. If you have any questions about this Privacy Policy or how we handle your personal data, please contact us at:

Email	[email protected]
Data Protection Contact	Megan Clare Bassett
ICO Registration No.	Pending Approval

Note: ClubHQ is currently operated by an individual prior to formal company incorporation. This policy will be updated to reflect the registered company name, number, and address upon incorporation.

2. What Personal Data We Collect

2.1 Current Website (Pre-Launch) — What We Collect Now

At present, clubhq.uk is a pre-launch information website. We do not currently operate a waitlist or collect personal data via any form on the website. The only data that may be collected is limited to:

Technical data collected automatically by Cloudflare (our website infrastructure provider), including IP addresses, browser type, device type, and approximate location. This is used for security, performance, and DDoS protection. Please refer to Cloudflare's Privacy Policy for full details.
If you contact us directly via the email address listed in the footer, we will receive your email address and any personal information you include in your message.

We do not use any analytics tools, tracking pixels, or advertising cookies on the current website.

2.2 Waitlist (When Active)

When the ClubHQ waitlist opens, we will collect the following information from people who sign up:

Full name
Email address
Club name
Town or city (to understand the geographic spread of interest — we will not collect full addresses at this stage)
Sport type
Tier of interest (optional)
Whether you have requested a demo (optional)

This data will be used solely to manage your waitlist position, communicate launch updates, and (where you have explicitly consented) send you marketing communications about ClubHQ. We will not use it for any other purpose.

2.3 Full Platform (Upon App Launch) — Account and Identity Data

Full name
Email address
Username or display name
Profile photograph (if provided)
Date of birth (to verify age and apply appropriate protections for younger users)
Gender (optional, for team categorisation purposes)
Telephone number (optional)
Account login credentials (passwords are stored in encrypted form only — we never store passwords in plaintext)

2.4 Sport and Club Activity Data

Sport type and club or team membership
Player positions, roles, or skill level
Match fixtures, training schedules, and results
Attendance records and availability responses
Performance statistics, scores, and rankings
Strength and conditioning logs (where you use this feature)
Injury records (where entered by you or an administrator)
Committee documents, budgets, minutes, and task records (committee users only)
Communications sent within the platform (messages, posts, announcements, comments)

2.5 Payment Data

Payment card details — processed securely by our third-party payment provider (e.g. Stripe). We do not store full card numbers or CVV codes.
Transaction history (membership fees, event ticket purchases, match fees)
Billing name and address

2.6 Technical and Device Data

IP address
Device type, operating system, and browser type
App version and usage logs
Crash reports and diagnostic data
Cookie identifiers and similar tracking technologies

2.7 Special Category Data

In limited circumstances we may process special category data under UK GDPR Article 9, including:

Health or medical information (e.g. injury records or medical conditions relevant to participation, entered by you or an administrator)

We will always seek your explicit consent before processing special category data, unless we are legally required to process it for another reason (e.g. safeguarding obligations). You are never required to enter health data to use the platform.

2.8 Data About Children (Under 18)

Where ClubHQ is used to manage youth teams, children's data may be processed. If a user is under 18, we require that a parent or legal guardian registers on their behalf and provides consent. Children under 13 may not create accounts independently.

We apply heightened protections to children's data in line with the ICO's Children's Code (Age Appropriate Design Code), including data minimisation, default privacy settings, and restricted visibility of children's profiles.

3. How We Collect Your Personal Data

We collect personal data through the following means:

Directly from you: when you sign up to the waitlist, register an account, complete your profile, make payments, send messages, log activity, or contact us.
Automatically: through your use of the website or platform (IP address, device data, usage logs, cookies where applicable).
Via Cloudflare: our infrastructure provider automatically processes certain technical data as part of delivering and protecting the website.
From other users: team administrators or coaches may add you to a team, which may involve entering your name, email, or other details on your behalf.
From third-party sign-in providers: if you choose to log in using Google or Apple, we receive your name, email address, and profile photo from those services.
From payment providers: we receive transaction confirmation data from our payment processor (e.g. Stripe) when you make a payment.

4. Our Lawful Basis for Processing

Under UK GDPR, we must have a valid lawful basis to process your personal data. Depending on the nature of the processing, we rely on the following bases:

Lawful Basis	Examples of Processing Activity
Contract Performance (Art. 6(1)(b))	Creating and managing your account; processing subscription and event payments; delivering the core platform features (fixtures, results, messaging, attendance).
Legitimate Interests (Art. 6(1)(f))	Improving platform performance and features; preventing fraud and abuse; sending service-related notifications; Cloudflare security processing.
Consent (Art. 6(1)(a) / 9(2)(a))	Waitlist and launch marketing emails; processing health or injury data; non-essential cookies (when implemented).
Legal Obligation (Art. 6(1)(c))	Responding to lawful requests from regulators or law enforcement; complying with HMRC financial record-keeping requirements.
Vital Interests (Art. 6(1)(d))	In exceptional circumstances, to protect the health or safety of a participant (e.g. sharing emergency information with appropriate parties).

5. How We Use Your Personal Data

We use the personal data we collect for the following purposes:

To manage your waitlist registration and send you launch updates and early access information (with your consent).
To create and manage your platform account and authenticate your identity.
To deliver the core ClubHQ features: member management, fixture scheduling, training sessions, attendance tracking, results, Strength & Conditioning programmes, committee tools, and in-app messaging.
To process subscription and event payments and send confirmations and receipts.
To send you push notifications and alerts about fixtures, training, results, and club communications.
To enable club administrators and coaches to manage their teams and access relevant member data.
To allow committee members to manage documents, budgets, agendas, and tasks.
To monitor and improve platform performance and identify and fix technical issues.
To comply with our legal obligations, resolve disputes, and enforce our Terms of Service.
To detect, investigate, and prevent fraudulent activity or security incidents.
To send marketing communications about ClubHQ updates, new features, or related products (only where you have given explicit consent, and you may withdraw this at any time).

6. How and Why We Share Your Data

We do not sell your personal data to third parties. We may share your personal data in the following limited circumstances:

6.1 With Other Platform Users

Certain information (such as your name, profile photo, availability status, and performance statistics) will be visible to other members of teams or clubs you have joined. Club administrators can configure visibility settings. Data shared within a team may be viewed by all members of that team.

6.2 With Club Administrators and Coaches

If you join a club or team through ClubHQ, the administrator or coach of that club will have access to the personal data you have provided or that is generated through your participation. They act as independent data controllers for any data they export or use outside of ClubHQ, and are responsible for their own compliance with UK GDPR.

6.3 With Service Providers (Data Processors)

We work with trusted third-party providers who process data strictly on our behalf and under contractual obligations. These currently include or may include:

Cloudflare — website infrastructure, security, and performance (US-based; see Section 7 on international transfers)
Stripe — payment processing (PCI-DSS compliant; we do not receive or store full card details)
Cloud hosting provider — secure storage of platform data (e.g. AWS, Google Cloud, or equivalent)
Email delivery service — for transactional and marketing emails
Push notification provider — for in-app alerts

All providers are bound by Data Processing Agreements and are only permitted to process your data in accordance with our documented instructions.

6.4 Legal and Regulatory Disclosures

We may disclose personal data if required to do so by law, court order, or a lawful request from a public authority (such as the police or the ICO). Where legally permitted to do so, we will notify you.

6.5 Business Transfers

In the event of a merger, acquisition, or sale of the business, your personal data may be transferred to the relevant acquiring party. We will provide notice of any such change and its effect on your data before it takes place.

7. International Data Transfers

Some of our service providers (including Cloudflare and potentially our cloud hosting and payment providers) may process data outside the UK or EEA, including in the United States. Where this occurs, we ensure that appropriate safeguards are in place, such as:

UK adequacy regulations (where the destination country has been approved by the UK Secretary of State);
Standard Contractual Clauses (SCCs) approved by the ICO; or
Other legally recognised transfer mechanisms.

You may contact us to request details of the specific safeguards in place for any such transfers.

8. How Long We Keep Your Data

We retain your personal data only for as long as necessary for the purposes described in this policy, or as required by law:

Data Type	Retention Period
Waitlist data	Until you unsubscribe or request deletion, or 24 months after the waitlist closes if unused.
Platform account and profile data	Until account deletion, then 30 days for account recovery, then permanently deleted.
Financial and payment records	7 years from transaction date (HMRC legal requirement).
Email and support correspondence	3 years from the date of last contact.
Technical / server logs	Up to 12 months, unless required longer for security or legal investigations.
Marketing consent records	Until consent is withdrawn, plus 3 years for record-keeping.

9. Your Rights Under UK GDPR

As a data subject under UK GDPR, you have the following rights. You can exercise any of them by contacting us using the details in Section 1.

9.1 Right to be Informed

You have the right to be told how we use your personal data. This Privacy Policy fulfils that obligation.

9.2 Right of Access

You can request a copy of the personal data we hold about you (a Subject Access Request or SAR). We will respond within one month. We may extend this by up to two further months if your request is complex.

9.3 Right to Rectification

You can ask us to correct inaccurate or incomplete data we hold about you. You can also update most information directly within your ClubHQ account.

9.4 Right to Erasure ('Right to be Forgotten')

You can request deletion of your personal data where it is no longer necessary for the purpose it was collected, or where you withdraw consent. We may need to retain certain data for legal reasons (e.g. financial records under HMRC rules).

9.5 Right to Restrict Processing

You can ask us to pause processing of your data in certain circumstances, for example while the accuracy of the data is disputed.

9.6 Right to Data Portability

Where processing is based on consent or contract and carried out by automated means, you can request a structured, machine-readable copy of your data, or ask us to transfer it to another controller where technically feasible.

9.7 Right to Object

You can object to processing based on our legitimate interests, or to direct marketing, at any time. We will stop the relevant processing unless we can demonstrate compelling legitimate grounds that override your interests.

9.8 Rights in Relation to Automated Decision-Making

ClubHQ does not make decisions about you based solely on automated processing that produce legal or similarly significant effects. We do not use your data for commercial profiling or targeted advertising.

9.9 Right to Withdraw Consent

Where we rely on your consent, you can withdraw it at any time without affecting the lawfulness of processing that took place before withdrawal. To unsubscribe from marketing emails, use the unsubscribe link in any email or contact us directly.

9.10 Right to Lodge a Complaint

You have the right to complain to the ICO if you believe we have not handled your data lawfully:

ICO Website	www.ico.org.uk
ICO Helpline	0303 123 1113
ICO Address	Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

10. Security of Your Personal Data

We take the security of your data seriously and implement appropriate technical and organisational measures, including:

Encryption of data in transit using TLS (HTTPS across the website and platform)
Encryption of data at rest
Access controls ensuring only authorised individuals can access personal data
Cloudflare DDoS protection and web application firewall on the website
Secure payment processing via a PCI-DSS compliant provider (we never store card numbers)
Passwords stored using secure one-way hashing — never in plaintext
Regular review of security practices as the platform is built and scaled

In the event of a personal data breach likely to result in risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware, and notify affected individuals without undue delay where required.

11. Cookies and Similar Technologies

11.1 Current Website

The ClubHQ website currently uses only the cookies and technical mechanisms set by Cloudflare as part of its infrastructure and security services. These are strictly necessary for the website to function and cannot be disabled. Cloudflare may set a cookie (typically '_cf_bm' or similar) for bot detection and security purposes. No analytics, advertising, or tracking cookies are currently in use on this website.

11.2 When the Platform Launches

When the ClubHQ platform launches, we may use additional cookies and similar technologies for:

Essential functionality (keeping you logged in, session management)
Preference storage (remembering your settings)
Platform analytics (understanding usage patterns to improve the product)

We will implement a cookie consent mechanism before introducing any non-essential cookies, and you will be able to manage your preferences at any time.

12. Third-Party Links and Services

The ClubHQ website links to our Instagram account (@c.lubhq) and may in future link to other third-party services. We are not responsible for the privacy practices of third-party platforms. Instagram is operated by Meta Platforms and is subject to Meta's own privacy policy. We encourage you to review the privacy policies of any third-party services you access.

13. Club Administrators as Data Controllers

When a club or organisation uses ClubHQ to manage its members, the club acts as an independent data controller for the personal data of its members. ClubHQ acts as a data processor on the club's behalf in that context.

If your data was added to ClubHQ by a club administrator, you should also refer to that club's own privacy policy. Club administrators are responsible for ensuring they have a lawful basis for processing their members' data, providing appropriate privacy notices to members, and complying with their own obligations under UK GDPR.

14. Changes to This Privacy Policy

We will update this Privacy Policy as ClubHQ develops, particularly when the platform launches and new data processing activities begin. When we make material changes, we will:

Display a prominent notice on the website or within the platform;
Send an email notification to registered users or waitlist members where appropriate; and
Update the 'Effective Date' at the top of this policy.

We encourage you to review this policy periodically. Continued use of the website or platform after an update constitutes acceptance of the revised policy.

15. Contact Us

For any questions, concerns, or requests relating to this Privacy Policy or your personal data, please get in touch:

Email	[email protected]
Subject Line	"Data Protection Enquiry – ClubHQ"

We aim to respond to all data protection enquiries within 30 days. For Subject Access Requests, we will acknowledge receipt promptly and respond within one calendar month of receiving your request.

© 2026 ClubHQ (clubhq.uk). All rights reserved. This policy is currently issued by an individual trading as ClubHQ, prior to formal company incorporation. It will be updated to reflect the registered company details upon incorporation.

This document was prepared with reference to the UK GDPR, Data Protection Act 2018, PECR, and ICO guidance. It does not constitute legal advice. You are strongly advised to have this policy reviewed by a qualified UK data protection solicitor before publishing it.