Privacy Notice
How the UK Polocrosse Association collects, uses, and protects your personal data.
Version history
This notice is versioned. Every material change is recorded below. The current version is 1.0, last updated April 2026.
| Version | Date | Changes |
|---|---|---|
| 1.0 | April 2026 | Initial publication of the UKPA Privacy Notice. |
1. Who we are
The UK Polocrosse Association (“UKPA”, “we”, “us”, “our”) is the national governing body for polocrosse in the United Kingdom. The UKPA is an unincorporated association governed by its members. A dormant company, United Kingdom Polocrosse Association Limited (company number 05189686, registered in England & Wales), exists solely to protect the association’s name and takes no active part in running the sport.
For the purposes of UK data protection law, the UKPA is the data controller responsible for the personal data described in this notice.
Contact: support@ukpolocrosse.co.uk
2. Scope of this notice
This notice applies to all personal data we collect and process about:
- UKPA members (adults and juniors)
- Guardians and parents who manage junior members’ accounts
- Club officials and administrators
- Visitors to this website who contact us via the contact form
It does not cover data processed by third-party websites we may link to. We encourage you to read the privacy notices of any external sites you visit.
3. The personal data we collect
We collect the minimum personal data necessary for each purpose. The categories below set out exactly what we hold.
3.1 Account data
When you create an online account with the UKPA member portal, we collect:
- Email address
- Password (stored as a one-way cryptographic hash — we cannot read your password)
- Account role (standard member, club administrator, UKPA administrator)
- Date and time of account creation and last login
- Two-factor authentication (2FA) status and encrypted TOTP secret (where 2FA is enabled or mandatory)
- IP address and browser/device information recorded at login and when accepting our Terms of Service
3.2 Member registration data
When registering a UKPA membership (for yourself or a junior you are responsible for), we collect:
- First name and last name
- Date of birth
- Phone number
- Postal address (address lines, city, county, postcode, country)
- Emergency contact name and phone number
- Membership number (assigned by us)
- Whether the member is a minor (under 18)
3.3 Guardian consent records
For junior members, we record the guardian’s relationship to the child and the date on which parental or guardian consent was given for UKPA membership and data processing.
3.4 Membership and competition records
We hold the following records relating to your participation:
- UKPA membership history (product, valid dates, status, payment reference)
- Club membership history (club name, valid dates)
- Club transfer history (clubs involved, dates, status)
- Playing grade (letter grade and numerical grade, assigned and superseded dates)
- Umpire grade (if applicable)
- Coach status (if applicable)
- Official roles held at UKPA or club level (role title, dates, role contact email/phone if provided)
- Event entry history (event, entry date, class entered, entry status, eligibility snapshot at time of entry)
- Team event entries (team name, slot position, players assigned by the entering club, horses, guests, and — for cross-club loan players — the home club’s identity and the date the loan was recorded)
- Acceptance records confirming you (or, for junior members, your guardian) have read and accepted the current UKPA Terms of Service and the current edition of the UKPA Handbook (date and IP address of acceptance, plus browser/device information)
3.5 Safeguarding and compliance records
For members holding safeguarding-relevant roles (officials, coaches, club administrators, and any role flagged as requiring compliance), we record the expiry date of relevant certifications:
- DBS (Disclosure and Barring Service) check expiry date
- First aid certificate expiry date
- Safeguarding training certificate expiry date
We do not store the underlying DBS certificate, criminal record information, or any details of training providers or scores. Only the expiry date is held, used to flag when a renewal is due.
3.6 Diversity & inclusion data (equality monitoring)
To support equality of opportunity in the sport and to report aggregate diversity information to funding bodies (such as Sport England), we offer adult members the opportunity to provide:
- Sex registered at birth
- Ethnicity (using the GOV.UK harmonised ethnicity classification)
- Whether you have a physical or mental health condition expected to last 12 months or more (the Equality Act 2010 disability question — we do not ask about the nature of the condition)
These questions are strictly optional. “Prefer not to say” is a valid answer for every question, and you may update or clear your answers at any time from your profile.
Your individual answers are never visible to anyone — not to UKPA administrators, not to club administrators, and not to other members. They are used only in aggregate, anonymised reporting with a minimum-cell-size of 10 enforced (any group smaller than 10 is suppressed in the report so individuals cannot be re-identified). The only person who can see your specific answers is you.
This data is special-category data under UK GDPR. We process it under Article 9(2)(g) — substantial public interest, equality of opportunity or treatment (Schedule 1, Part 2, paragraph 8 of the Data Protection Act 2018), and only for the purpose described above. We never hold this data for junior members, and we never ask for it during sign-up — it is offered only after a member has completed registration.
3.7 Horse data
Members who ride horses at UKPA events register those horses in our system. Horse records include:
- Horse name, breed, colour, sex, date of birth
- Passport number and a copy of the passport document
- Vaccination records (type, date administered, expiry date, batch number, veterinarian name)
- Rider/owner relationship and dates
Horse data relates to animals, not people. However, it is linked to member records and is therefore described here for completeness.
3.8 Payment data
Payments are processed by Stripe (see section 5 below). We do not store card numbers, bank account numbers, or any raw payment credentials. We do hold:
- Payment amount, currency, type (membership, event entry, refund), and status
- Stripe payment intent and charge reference numbers (anonymised identifiers)
- Refund amounts and Stripe refund reference numbers
- Timestamp of successful payment, failure, or refund
3.9 Contact form submissions
When you use the contact form on this website, we collect your name, email address, optional subject line, and the content of your message.
3.10 Technical and security data
To maintain the security of the member portal, we log:
- IP address and browser/device information associated with login sessions
- An audit log of significant administrative actions (for example, a membership being granted, a grade being assigned, or a club transfer being approved). The audit log records what changed, who made the change, and when.
- Email verification tokens and password-reset tokens (stored as hashes; automatically deleted once used or expired)
- Two-step email-change tokens (stored as hashes; automatically deleted once used or expired). When you change your login email, the system sends a confirmation link to the new address and a tripwire notice to the old address; the change only takes effect when the new-address recipient clicks the link.
- Suspicious sign-in alert emails sent to your account email if our session-security system detects an attempted re-use of a revoked refresh token (a signal that a session cookie may have been compromised). At the same time, every active session and trusted-device cookie for the account is revoked.
3.11 Bulk-email recipient records
When a UKPA administrator sends a bulk email through the audience builder (for example, a newsletter or a region-wide announcement), the system snapshots the recipient list at the moment of sending so the campaign is replayable for accountability. Each recipient row holds:
- Member identity (for traceability of who received the message)
- Email address as it was at send time
- First name and member full name as captured at send time (used only for personalisation tokens such as “Hi {{firstName}}”)
- Whether the recipient is the member themselves or a guardian
- The campaign’s audit metadata (subject line, filter snapshot, who pressed Send, when)
These snapshots are retained alongside the campaign for audit and purged with the campaign when an administrator deletes it.
4. How we use your personal data
The table below sets out each purpose, the data used, and the legal basis under UK GDPR.
| Purpose | Data used | Legal basis |
|---|---|---|
| Administering your UKPA membership | Account data, member registration data, membership records | Contract |
| Processing event entries (individual and team) and managing competition records | Member data, event entry records, team entry records, horse data, payment data | Contract |
| Processing membership and event-entry payments | Account data, payment data | Contract |
| Managing junior members (guardian relationships, consent) | Guardian relationship data, consent records, junior member data | Legal obligation & Contract |
| Service communications — renewal reminders, entry confirmations, club-transfer outcomes, team-player notifications, account verification and security alerts | Name, email address, membership status, event/transfer/team context | Contract |
| Non-transactional communications — UKPA-wide announcements, newsletters, and bulk emails sent by UKPA administrators through the audience builder | Name, email address, member status, filter criteria the administrator selected | Legitimate interests (with right to object — see section 8) |
| Maintaining a register of qualified umpires, coaches, and officials | Member data, grade records, official role records | Legitimate interests |
| Tracking safeguarding and compliance certification expiry (DBS, first aid, safeguarding) | Member data, certificate expiry dates, official role records | Legal obligation & Legitimate interests |
| Aggregate equality-monitoring reporting (no individual data shown; minimum cell size of 10) | Sex, ethnicity, disability — only for members who have voluntarily provided answers | UK GDPR Art. 9(2)(g) — substantial public interest, equality of opportunity |
| Responding to contact form enquiries | Name, email address, message content | Legitimate interests |
| Securing the member portal and preventing fraud (incl. suspicious-sign-in alerts, audit log) | IP addresses, login session data, audit log | Legitimate interests |
| Meeting financial and statutory record-keeping obligations | Payment records, membership records | Legal obligation |
We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects.
We do not sell, rent, or share your personal data with third parties for marketing purposes.
5. Who we share your data with
We share personal data only where necessary and with appropriate safeguards in place.
5.1 Stripe (payment processing)
Card payments are processed by Stripe Payments Europe, Ltdand its affiliates. Stripe acts as a data processor on our behalf and is certified to the highest payment security standards (PCI DSS Level 1). Stripe’s privacy policy is available at stripe.com/gb/privacy. We do not store card details.
The UKPA collects event-entry fees directly via Stripe. Where an event is organised by a member club, settlement between the UKPA and the club takes place off-platform — no member personal data passes between the UKPA and the club through Stripe.
5.2 Club administrators
Club administrators can view the membership records of their own club’s members. They do not have access to financial data beyond confirming payment status for event entries.
Club administrators cannotsee members’ individual equality-monitoring answers (section 3.6). The aggregate equality report is restricted to specifically-authorised UKPA administrators only, and even within that report the minimum-cell-size of 10 prevents re-identification.
A UKPA administrator may send bulk emails (newsletters, announcements) to filtered groups of members through an audience builder. Club administrators have a scoped version of the same tool that is automatically restricted to members of their own club. Recipients can opt out of non-transactional emails at any time by contacting support@ukpolocrosse.co.uk.
5.3 Legal and regulatory disclosures
We may disclose personal data where required to do so by law, court order, or a regulatory authority (for example, safeguarding referrals to statutory agencies).
5.4 International transfers
All personal data is stored and processed within the United Kingdom or the European Economic Area. We do not transfer personal data to countries outside the UK/EEA. Stripe’s infrastructure may involve transfers under their Standard Contractual Clauses — see Stripe’s privacy policy for details.
6. How long we keep your data
| Data category | Retention period | Reason |
|---|---|---|
| Membership and competition records | Minimum 7 years after the membership or entry ends | National governing body obligations; financial record-keeping |
| Payment records | 7 years from the date of transaction | HMRC and Companies Act requirements |
| Safeguarding / guardian consent records | Until the junior reaches 25, or 7 years from consent being given (whichever is later) | Safeguarding best practice and potential legal claims |
| Safeguarding / compliance certificate expiry dates | For the duration of the member's active role, plus 7 years | Safeguarding obligations and demonstration of due diligence |
| Diversity & inclusion (equality monitoring) data | Until you clear it from your profile, or your member record is deleted | You can update or wipe your answers at any time; not required to be retained for any minimum period |
| Audit log | Configurable by UKPA (365 days by default) | Security, accountability, and dispute resolution |
| Bulk-email campaign recipient snapshots | Retained alongside the campaign; deleted when a UKPA administrator deletes the campaign | Accountability and replayability of one-off communications |
| Contact form submissions | 12 months from submission | Correspondence management |
| Login session tokens | Deleted on logout or after 30 days of inactivity | Security |
| Email verification and password-reset tokens | Deleted once used or expired (typically within 24 hours) | Security — one-time use tokens |
You may request deletion of your personal data at any time (see section 9). We will honour that request subject to any legal retention obligations that require us to keep certain records for a defined period.
7. Security
We take the security of your personal data seriously and have implemented appropriate technical and organisational measures, including:
- Your password is stored as a one-way scrambled value — even we can’t read it.
- Two-factor authentication is required for all administrators and available to all members. If an administrator can’t log in (for example because they’ve lost their authenticator app), another administrator can reset their two-factor setup — this is recorded and an alert is sent, so it can’t be misused quietly.
- All connections between your device and the portal use HTTPS encryption.
- Strict access controls — administrators see only the data they need for their role, and sensitive data such as payment records and the audit history is restricted to UKPA officers who specifically need it.
- Every significant change to your data is recorded in an audit log we can’t edit.
- If our security systems detect a sign that a session may have been compromised, we automatically sign the affected account out everywhere, record the event, and email you an alert.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner’s Office (ICO) within 72 hours and, where required, contact affected individuals directly.
8. Your rights
Under UK GDPR and the Data Protection Act 2018, you have the following rights in relation to your personal data:
Right of access
You have the right to request a copy of the personal data we hold about you (a "Subject Access Request"). We will respond within one month.
Right to rectification
You have the right to ask us to correct inaccurate personal data, or to complete incomplete data.
Right to erasure ("right to be forgotten")
You have the right to ask us to delete your personal data in certain circumstances. This right is subject to any legal obligations we have to retain certain records (see section 7).
Right to restrict processing
You have the right to ask us to restrict our processing of your personal data in certain circumstances, for example while a dispute about accuracy is resolved.
Right to data portability
Where we process your data on the basis of contract or consent and by automated means, you have the right to receive your personal data in a structured, machine-readable format.
Right to object
You have the right to object to processing carried out on the basis of our legitimate interests. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests.
To exercise any of these rights, please contact us at support@ukpolocrosse.co.uk. We do not charge a fee for reasonable requests and will respond within one month.
9. Cookies and tracking
This website uses only strictly necessary cookies required for the member portal to function. These include authentication session tokens that keep you logged in while using the portal.
We do not use advertising cookies, analytics cookies, or any third-party tracking technologies. No cookie consent banner is therefore required under the Privacy and Electronic Communications Regulations (PECR).
10. Children’s data
Where a member is under 18, their membership is managed by a parent or guardian through the UKPA member portal. The guardian provides explicit consent for the junior member’s data to be collected and processed. We record the date consent was given and the relationship between the guardian and the child.
Guardians may exercise data subject rights on behalf of junior members they are responsible for. Contact us at support@ukpolocrosse.co.uk to do so.
11. Changes to this notice
We may update this privacy notice from time to time. The “Last updated” date at the top of this page will reflect any changes. Where changes are material, we will inform members by email or via a notice in the member portal.
12. How to complain
If you have a concern about how we handle your personal data, please contact us first at support@ukpolocrosse.co.uk so that we have the opportunity to address it.
If you remain unsatisfied, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection:
- ico.org.uk/make-a-complaint
- Telephone: 0303 123 1113
- Post: ICO, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF