Starcross Fishing & Cruising Club — Privacy Policy (UK GDPR)

Last updated: 17 August 2025

We respect your privacy. This notice explains what personal data we collect, why we collect it, how we use it, how long we keep it, who we share it with, and your rights under UK GDPR and the Data Protection Act 2018.

1) Who we are (Data Controller)

Starcross Fishing & Cruising Club (“SFCC”, “we”, “us”, “our”).

• Club address: Brunel Tower, The Strand, Starcross, Exeter EX6 8PR

• Email: data@starcross-fcc.co.uk

• Website: www.starcross-fcc.co.uk

Unless stated otherwise, SFCC is the data controller for the activities described in this notice. If we use third‑party providers (e.g., for payments, bookings, or email), those providers act as data processors on our behalf or as independent controllers where they determine their own purposes.

2) What data we collect

We only collect what we need for club administration, safety, events and membership.

Identity & Contact

• Full name, date of birth (if relevant), postal address, email, phone.

• Emergency contact details.

Membership & Participation

• Membership category, start/end dates, concessions, volunteer roles.

• Event registrations (meets, cruises, competitions), results, boat details (e.g., class, name, sail number), mooring/berthing/winching records, access fob numbers.

Payments

• Fees paid, invoice records, and transaction references via our payment providers. We do not store full card numbers.

Safety & Safeguarding (collected only where necessary)

• Incident/accident reports, risk assessments, medical information you provide for specific events (e.g., allergies), parental/guardian details for junior members.

Media

• Photos and videos taken at club activities or on club premises. We explain how we use media below and at the point of capture.

Website/IT

• Technical data such as IP address, device type, pages visited, cookie identifiers, login times for member portals.

Communications

• Emails, messages, feedback forms, and complaints.

3) How we collect your data

• Directly from you (application forms, online forms, email, phone, in person).

• From your parent/guardian (for under‑18s).

• From event organisers, skippers, instructors or volunteers when they submit incident/event details.

• From technology you use (website analytics, access systems, Webcam, CCTV if in use – see §10).

4) Why we use your data (purposes) & lawful bases

We rely on these lawful bases under UK GDPR:

• Contract – to manage your membership, process payments, provide member services and booked events.

• Legitimate interests – to run the club efficiently and safely (e.g., rota management, volunteer coordination, competition scoring, access control, basic event photography, general member updates). We balance this against your rights.

• Legal obligation – HMRC/accounting, health & safety reporting, incident logs.

• Consent – optional marketing to non‑members, certain uses of photos/video, and any health data we request for an event where consent is appropriate.

• Vital interests – to protect life in an emergency (e.g., sharing medical info with emergency services).

• Special category data – if we process health data or safeguarding information, we rely on explicit consent, vital interests, or the not‑for‑profit exemption (Article 9(2)(d)) for members/regular contacts, with appropriate safeguards.

Examples

• Membership applications/renewals – Contract.

• Safety and incident records – Legal obligation/Legitimate interests.

• Photo galleries & social posts about events – Legitimate interests; we’ll honour reasonable opt‑outs. For juniors or sensitive contexts, we obtain consent.

• Email newsletters to members about club business – Legitimate interests. You can opt out at any time.

• Promotional mailings to non‑members – Consent.

5) Marketing

We send members operational updates (e.g., events, notices, AGM) under legitimate interests. You can opt out of non‑essential messages via the unsubscribe link or by contacting us.

For non‑members, we only send marketing if you opt in. You can withdraw consent at any time.

6) Photography & video

We may take photos/video at events and on club premises to record activities and promote the club.

• We’ll tell you when filming/photography is taking place (e.g., at sign‑on, noticeboard, or event briefings).

• If you prefer not to be included, tell the photographer or contact us and we’ll take reasonable steps to avoid/ remove identifiable images.

• For under‑18s, we obtain parent/guardian consent for identifiable images.

7) CCTV (if applicable)

If CCTV operates on our premises:

• It is used for security, safety and the prevention/detection of crime (legitimate interests).

• Clear signage is displayed. Footage is retained for a short period unless required for an investigation or claim.

• Access is restricted to authorised officers and service providers, and may be shared with law enforcement when lawful to do so.

[If the club does not use CCTV, delete this section.]

8) Sharing your data

We share data only when necessary and with appropriate safeguards:

• Committee members and designated officers (e.g., Membership, Treasurer, Safeguarding, Bosun/Harbour).

• Volunteers, instructors, race/competition officers, event organisers – only what they need to perform their role.

• Service providers acting under our instructions (e.g., web host, email provider, payment processor, membership system, access control).

• Insurers, legal advisers, regulators (e.g., after incidents/claims).

• Governing bodies/associations when needed to enter events, maintain records, or comply with rules.

• Law enforcement when required by law.

International transfers. Some providers may store data outside the UK. Where that happens, we ensure there are appropriate safeguards (e.g., adequacy regulations, International Data Transfer Agreement, or Standard Contractual Clauses with additional protections).

We do not sell your personal data.

9) How long we keep your data (retention)

We keep data only as long as needed for the purposes above, then securely delete or anonymise it.

Data type	Typical retention
Membership records	For your membership term and up to 6 years after it ends (limitation & finance).
Financial/payment records	6 years from the end of the financial year (HMRC).
Accident/incident reports	3 years from the incident; for minors, until age 21 (the later of the two).
Access logs (keys/fobs)	Up to 12 months after access is revoked, unless needed longer for security.
Routine email correspondence	Up to 24 months unless needed for ongoing matters.
Photos & videos	Until we replace them or you object/withdraw consent (see §6).
Website analytics	As per cookie lifetimes (see §11).

Actual periods may vary to meet legal, insurance, or operational needs.

10) Security

We use administrative, technical and physical safeguards appropriate to the risks, including access controls, role‑based permissions, encryption in transit where possible, and staff/volunteer guidance. No system is 100% secure; we review controls regularly.

11) Cookies & website analytics

Our website may use cookies and similar technologies (e.g., for login sessions, preferences, and aggregated analytics). Where required, we will ask for your consent.

• You can manage cookies in your browser settings. Blocking some cookies may affect site functionality.

• For details, see our Cookie Policy:

12) Your rights

You have rights over your personal data, including:

• Access – a copy of your data.

• Rectification – correct inaccurate or incomplete data.

• Erasure – ask us to delete data in certain cases.

• Restriction – limit how we use it.

• Objection – to processing based on legitimate interests or to direct marketing.

• Portability – receive data you provided to us in a usable format (where technically feasible and lawful).

• Withdraw consent – where we rely on consent (this doesn’t affect past use before withdrawal).

To exercise these rights, contact us (see §1). We may need to confirm your identity. We aim to respond within one month.

Complaints: If you are unhappy with how we handle your data, please contact us first. You also have the right to complain to the Information Commissioner’s Office (ICO):

Information Commissioner’s Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Tel: 0303 123 1113
https://ico.org.uk/

13) Third‑party links

Our website, newsletters, or social posts may link to other sites. Those sites have their own privacy notices; we are not responsible for their content or practices.

14) Changes to this notice

We may update this notice to reflect changes in law or how we operate. We will post the new version with a new “Last updated” date and, where appropriate, notify members.

15) Contact

Questions, requests, or complaints:

Email: data@starcross-fcc.co.uk 
Postal: Brunel Tower, The Strand, Starcross, Exeter EX6 8PR

Appendix: our current processors (complete & keep up to date)

• Website hosting: it3.co.uk

• Membership system/CRM: membermojo.co.uk 

• Email provider/newsletters: Microsoft/Membermojo.co.uk

• Payments: Stripe

• Access control/CCTV: Paxton

Replace bracketed placeholders with your details, and delete sections that don’t apply (e.g., CCTV). This policy is information only and not legal advice.