Privacy policy
This policy explains what personal information Lydiate Ash Sports collects when you use this website, why we collect it, how we use it, and what rights you have. We are committed to handling your information responsibly and in line with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Lydiate Ash Sports is the data controller for the purposes of this policy. If you have any questions or requests relating to your personal data, please use the contact form.
1. Who we are
Lydiate Ash Sports is a community sports club based in the Rubery and B45 area. We run teams, training sessions, and community activities. This website is our primary digital presence.
2. What information we collect and why
Visitors to the public website
When you browse our public pages (Home, Club life, News, About), we do not collect any personal information about you. We do not run visitor analytics, advertising trackers, or profiling. Your browser will load fonts from Google Fonts and icons from Cloudflare’s CDN — these requests include your IP address as a normal part of how the internet works, but we do not receive or store that data ourselves.
Contact form
When you submit our contact form we collect your name, email address, and the message you send. We use this information solely to respond to your enquiry and, where relevant, to direct it to the right person in the club (for example, welfare queries go to the welfare officer). A bot-protection check (Cloudflare Turnstile) runs when you submit the form; this processes a small amount of technical browser information to confirm you are human — it does not set tracking cookies or identify you personally.
Lawful basis: Legitimate interests — responding to a contact request you have chosen to send.
Retention: Contact messages are kept for as long as necessary to handle the enquiry and for a reasonable period afterwards in case follow-up is needed, and then deleted.
Parent portal accounts
If you register for the parent portal, we collect and store your email address and a securely hashed version of your password (we never store your password in readable form). We also record the date and time you accepted our terms of service and privacy policy, and — if you choose to give it — your consent to publication of photos and videos of your child.
Lawful basis: Contract — you have asked us to provide you with access to the portal and the account is necessary to do so.
Retention: Your account is kept for as long as you or your child are associated with the club, or until you request deletion. You may contact us at any time to close your account.
Children’s details
Through the parent portal you may register your child with the club. We collect the child’s display name, their squad or age group, and RSVP responses to published sessions. This information is provided and controlled by you as a parent or guardian — children do not register themselves.
Lawful basis: Contract — providing the club’s session management and RSVP service to you as the registered parent.
Retention: Children’s records are kept for as long as they are active members of the club, or until you request removal.
Photos and videos
During parent portal registration you are asked whether you consent to publication of photos and videos in which your child is identifiable. This consent is entirely optional. If you give it, the club may publish such material on the public website and club social media, subject to committee oversight. If you do not give consent, or if you later withdraw it, no images or videos in which your child is identifiable will be published. To withdraw consent, please use the contact form and we will update your record and take reasonable steps to remove any previously published material.
Lawful basis: Consent — freely given, specific, and withdrawable at any time.
Staff and manager accounts
Club staff who are given access to the manager panel have an account stored in our database containing their email address, a hashed password, and their role (coach or manager). These accounts are created by a club manager and are not self-service.
Lawful basis: Legitimate interests — administering the club’s internal operations.
3. Third parties who process data on our behalf
We use a small number of trusted third-party services. These act as data processors — they handle data only on our instructions and may not use it for their own purposes.
| Service | What they do for us | Where data may be processed |
|---|---|---|
| Cloudflare | Website hosting (Pages), database (D1), file storage (R2), access control (Cloudflare Access), bot protection (Turnstile), and CDN delivery of fonts and icons | EU and USA (Cloudflare operates under EU Standard Contractual Clauses and the UK International Data Transfer Agreement) |
| Google Fonts | Serving typefaces used in the website design | USA (Google LLC, Standard Contractual Clauses) |
| Zoho ZeptoMail | Delivering contact form replies, meeting confirmations, and RSVP confirmation emails | EU / India, depending on provider configuration |
| Zoho Contacts & Calendar (including parent accounts on register) | Optional sync of enquiries, meeting requests, and published training/match sessions for club staff calendars | EU (Zoho EU data centres when using zoho.eu endpoints) |
We do not sell personal data to any third party, and we do not share it with any party other than those listed above.
4. Cookies and session tokens
The public website does not set any cookies. If you sign in to the parent portal or manager panel, a session cookie is set in your browser to keep you signed in. This cookie is:
- HttpOnly — not accessible to JavaScript, reducing the risk of it being stolen
- SameSite=Strict — only sent to our own site, not to any third-party request
- Secure — only sent over HTTPS
- Valid for 24 hours, after which you are automatically signed out
Cloudflare may set technical cookies as part of its bot-protection and network services. These are necessary for the site to function securely and are not used for advertising or tracking.
5. How long we keep your information
| Type of data | How long we keep it |
|---|---|
| Contact form messages | Until the enquiry is resolved, then deleted |
| Parent portal accounts | Until you request closure, or the club closes |
| Children’s records | Until the child leaves the club or you request removal |
| Session and RSVP data | Kept for historical club records; individual RSVPs may be deleted on request |
| Staff accounts | Deleted when the staff member leaves or the account is removed by a manager |
| Photo/video consent record | Kept alongside the parent account for accountability; updated immediately if you withdraw consent |
6. Your rights under UK GDPR
Depending on how and why we hold your information, you may have the following rights. You can exercise any of them by contacting us via the contact form.
- Right of access — you can ask for a copy of the personal data we hold about you.
- Right to rectification — you can ask us to correct inaccurate or incomplete information.
- Right to erasure — you can ask us to delete your personal data where there is no compelling reason to continue holding it.
- Right to restriction — you can ask us to limit how we use your data while a dispute is resolved.
- Right to data portability — where processing is based on consent or contract and carried out by automated means, you can ask for your data in a portable format.
- Right to object — you can object to processing based on legitimate interests.
- Right to withdraw consent — where we rely on consent (for example, photo and video publication), you can withdraw it at any time without affecting the lawfulness of prior processing.
We will respond to requests within one month. We will not charge a fee for reasonable requests. If we cannot comply, we will explain why.
7. Children
The parent portal is for use by parents and guardians only. Children should not register themselves. Where we hold information about a child, it is provided by their parent or guardian, who is responsible for ensuring the information is accurate and for managing consent on the child’s behalf. If you believe we hold personal data about a child without appropriate parental authorisation, please contact us immediately.
8. Complaints
If you have a concern about how we handle your personal data that you cannot resolve directly with us, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK’s data protection regulator.
ICO website: ico.org.uk · ICO helpline: 0303 123 1113
9. Changes to this policy
We may update this policy from time to time, for example if our services change or if legal requirements change. The date at the top of this page shows when it was last revised. Significant changes will be communicated via the website.