Privacy Policy
Last updated: 8 May 2026
Badminton Clubhouse is a multi-tenant platform that helps badminton clubs run their day-to-day operations and helps players find games, track their stats, and manage their relationship with the clubs they belong to. This page explains what personal data we hold, why, who we share it with, and what control you have.
This policy is written for UK users under the UK GDPR and the Data Protection Act 2018. If you're based in the EU your equivalent rights under the EU GDPR apply.
1. Who is the data controller?
For data you give us directly (your account, your profile, your public-facing handle), the controller is Paul King, trading as Badminton Clubhouse, contactable at privacy@badmintonclubhouse.com.
For data your club records about you as a member of that club (membership status, attendance, fees, club-specific notes), the club committee is the controller and Badminton Clubhouse acts as their processor. Each club is responsible for its own privacy notice covering that membership data; this policy covers the platform layer only.
2. What personal data we collect
We collect only what we need to run the platform and the features you use. Data is grouped by where it lives:
Account & identity
- Email address, password (hashed, never stored in plaintext)
- Display name, handle, pronouns, date of birth, profile photo if you upload one
- Postcode (for finding nearby games and clubs)
Profile (optional, you control these)
- Bio, skill level, preferred format, dominant hand, goals
- Phone number, address, gender
- Emergency contact name, phone and relationship (used for safeguarding only)
- Medical notes (used by your club committee for in-session safety only)
Club membership
- Which clubs you belong to, your membership status, your membership level, custom club fields (e.g. shirt size if your club asks)
- Optional: Badminton England number and BE profile URL
Activity & matchmaking
- Friendly games you host or RSVP to via Find a Friendly Game, attendance at club sessions, play sessions you log
- Events you're invited to or attend
- Career stats derived from the above
Consent records
- Every consent you give (GDPR processing at a club, photo consent at a club, public profile visibility, public profile photo) is logged with timestamp and the policy version you agreed to. Withdrawals are kept for two years for audit.
Communication & audit
- Notifications we send you (email log, in-app feed, push if you opt in)
- Audit trail of safeguarding-relevant actions (e.g. a guardian acting on a junior's behalf), retained for two years
Junior profiles (under 18)
If you're a parent or guardian managing a junior's profile, we hold the same categories of data as for adults but attached to a separate junior profile with no login of its own. See section 7 for our junior posture in full.
3. Why we process it (lawful bases)
| What we're doing | Why we're allowed to |
|---|---|
| Creating and maintaining your account, signing you in | Contract (your sign-up agreement with us) |
| Showing you to your clubs, recording attendance, billing | Contract (between you and your club; we act as the club's processor) and the club's legitimate interest in running its operations |
| Public profile at /players/[handle], indexing by search engines | Your explicit consent (opt-in, withdrawable at any time) |
| Photo on your public profile | Your explicit consent, separate from photo consent at any of your clubs |
| Storing emergency contact and medical notes for in-session safety | Vital interests (Article 9(2)(c)) for the medical fields, contract for the emergency contact |
| Transactional email (sign-up confirmation, invitations, notifications you've subscribed to) | Contract and our legitimate interest in operating the service |
| Safeguarding for under-18s, welfare-hold workflows | Legal obligation (the Children Act 2004, NSPCC guidance for youth sport) and substantial public interest under DPA 2018 Sch 1 Part 2 Para 18 |
| Audit logs of guardian / committee actions | Legitimate interest in fraud prevention, dispute resolution, and substantial public interest for safeguarding |
| Aggregate, anonymous platform analytics | Legitimate interest in measuring and improving the product |
4. Who we share data with
We do not sell your data, run ad networks, or share it with marketers. We do use the following sub-processors to run the platform:
| Processor | Purpose | Region / safeguards |
|---|---|---|
| Supabase Inc. | Database and authentication (the canonical store for everything in section 2) | EU (Ireland — eu-west-1). UK adequacy applies. |
| Vercel Inc. | Web hosting, edge functions, anonymous web analytics (cookieless) | US-based with UK / EU adequacy via the UK Extension and Standard Contractual Clauses |
| Brevo (Sendinblue SAS) | Transactional and bulk email delivery (sign-up, invitations, notifications) | EU (France) |
We share data inside the platform only on a need-to-know basis:
- Your club committee sees the full member record for your club (the membership data they're the controller of), plus contact data you've made visible via the "show email" / "show phone" toggles in your profile.
- Other members of your clubs see what your committee has chosen to display in the club directory and what your visibility setting allows. You can set visibility to private, clubs only (default), or public.
- Anyone (including search engines) sees only what you've made public via your /players/[handle] profile, and only after you've given the explicit consent described in section 8.
5. Your public profile
By default your profile visibility is "clubs only". Search engines cannot index it. You can opt in to a public profile by going to /me/profile and switching visibility to "public". When you do:
- Your display name, handle, skill tier, headline stats (games played, format split, recent form), bio, and the discoverable clubs you belong to become visible at
/players/your-handle. - Your photo appears only if you separately grant "public profile photo" consent.
- Search engines may index the page.
- Opponent and partner names on your recent-games list always appear as initials with skill tier — never as full names.
- You can switch back to private or clubs-only at any time. Your URL returns 404 within sixty seconds; search engines drop the page from their index over the following weeks.
6. Cookies and tracking
We use only essential cookies — the ones our authentication needs to keep you signed in. We do not use advertising cookies, social- media trackers, or third-party analytics that profile you.
Vercel Web Analytics, which we use for aggregate page-view counts, is cookieless and does not track individuals across sites.
7. Children and under-18s
The platform supports junior players via guardian-managed profiles. We comply with the UK ICO Age-Appropriate Design Code (the "Children's Code") and Article 8 of the UK GDPR.
- Juniors do not have public profiles. Under-18 visibility is locked to clubs-only by default, and the public
/players/[handle]route does not resolve for junior accounts. - Guardians give consent for under-13s. Between 13 and 15 a junior may give limited consents with their guardian informed; from 16 they may make data-mature decisions with guardian co-signature.
- Promotion at 18. When a junior turns 18 we email them with a magic link to take ownership of their own account; they have between 30 and 90 days to do so. If they don't, we lock their record. Guardians lose access at 18 (with a short read-only grace window) regardless.
- Welfare holds. If we detect a safeguarding concern (for example, a child being added to a club without an active guardian), we apply a welfare hold and route the case to a club's welfare officer or a platform admin. The audit trail is shared with all of the child's active guardians.
A separate junior public surface (e.g. county pathway visibility) is not part of the current product and would only ship after consultation with Badminton England, the relevant county associations, and an updated Children's Code DPIA.
8. Consent — and how to withdraw it
Where we rely on consent (public profile visibility, public profile photo, photo on a club roster, GDPR processing on a specific club, optional marketing email if you opt in) you can withdraw at any time:
- Public profile visibility / photo: at
/me/profilein the "Public profile" section. - Per-club photo consent: at
/me/profilein the "Photo consent" section, per club. - Notification subscriptions: at
/me/notificationspreferences tab.
Withdrawing a consent does not affect anything we did under that consent before you withdrew. We keep the consent and withdrawal records for two years so we can show what you agreed to and when.
9. How long we keep things
- Account data: while your account is active. When you delete it (via /me/profile → "Delete my account"), we cascade-delete profile rows, member rows, and the auth user. Your handle is held in reservation for 90 days to prevent impersonation, then released.
- Consent and safeguarding audit logs: two years.
- Email log (records of emails we've sent you): retained while needed for delivery troubleshooting and audit; reviewed annually.
- Game and event records remain attached to their club for as long as that club uses the platform; if the club leaves the platform, data is exported to the club and removed from our systems within 30 days.
- Junior records follow the rules in section 7; they're either locked at 18 + 90 days or carried forward into the player's new adult account.
10. Your rights under UK GDPR
You have the right to:
- Access the data we hold about you (a copy).
- Rectification of anything that's wrong — most fields are editable directly via /me/profile.
- Erasure, sometimes called "the right to be forgotten". Self-service via /me/profile → Delete my account, or by emailing us. Note: we cannot erase records that are subject to a legal obligation (e.g. an active safeguarding investigation) until that obligation lifts.
- Restriction of processing while a dispute is being resolved.
- Portability — a machine-readable copy of the data you gave us.
- Object to processing based on legitimate interest. We'll stop unless we have an overriding lawful ground (in practice: safeguarding-related processing for under-18s).
- Not be subject to solely automated decisions that produce a legal or similarly significant effect. We don't make any.
To exercise any of these, email privacy@badmintonclubhouse.com. We'll respond within one calendar month.
11. How we protect your data
- All traffic is encrypted in transit (HTTPS/TLS 1.2+).
- Data at rest is encrypted by Supabase using industry-standard mechanisms.
- Passwords are stored only as bcrypt hashes — we never see them in plaintext.
- Row-level security (RLS) on the database enforces who can read and write what; club admin actions and any acting-as-junior actions are logged in an immutable audit trail.
- Sensitive uploads (e.g. safeguarding evidence) live in a private storage bucket and are accessible only via short-lived signed URLs to platform admins.
12. Changes to this policy
When we make material changes (anything that affects what we process, why, or who we share with) we'll email registered users at least 14 days before the change takes effect. Minor edits — fixing a typo, updating a sub-processor's region — are made silently and dated below.
13. Complaints and ICO escalation
If you're unhappy with how we've handled your data, please email privacy@badmintonclubhouse.com first — we want the chance to fix it.
You also have the right to complain to the UK Information Commissioner's Office:
- Web: ico.org.uk/make-a-complaint
- Phone: 0303 123 1113
- Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
14. Contact us
Questions about this policy, requests for your data, or anything privacy-related: email privacy@badmintonclubhouse.com.
For general support that doesn't involve personal data, our help centre is at /help or you can reach the team at hello@badmintonclubhouse.com.