SportsDayPro

Data Protection & GDPR Compliance Statement

Last updated: 19 June 2026

This statement is intended for school IT departments, Data Protection Officers and senior leadership assessing SportsDayPro before processing pupil data. It complements the Privacy Policy and summarises the key facts a school needs for its own data-protection records (including a Data Protection Impact Assessment, DPIA).

SportsDayPro is operated by SportsDayPro (sole trader Ralph Barlow), United Kingdom. Contact: info@sportsdaypro.com.

1. Controller / processor relationship

2. Categories of data subject and personal data

3. Purpose and lawful basis

Personal data is processed only to deliver sports-day management functionality to the school (event organisation, results, records, certificates, parent/pupil access, staff administration). We process under the contract with the school; the school determines its own lawful basis (typically public task).

We do not sell data, serve advertising, or perform profiling/automated decision-making.

4. Data storage location and residency

ItemDetail
Cloud providerMicrosoft Azure
RegionUK South (Microsoft UK data centres)
Application tierAzure App Service
Data tierAzure SQL Database
Data residencyUnited Kingdom — no transfer outside the UK
International transfersNone. Optional sub-processors operate under UK/EEA data residency.

5. Security measures (Article 32)

6. Sub-processors

Sub-processorPurposeLocation
Microsoft AzureHosting and databaseUK (UK South)
Microsoft (Microsoft Graph)Email / calendar from the school's own mailbox — only if enabled and consented by the schoolUK/EEA
GoogleOAuth sign-in — only if a user chooses itUK/EEA

Schools are notified of changes to sub-processors and may object.

7. Article 28 processor commitments

As processor we commit to:

  1. Process personal data only on the school's documented instructions.
  2. Ensure persons authorised to process data are bound by confidentiality.
  3. Implement appropriate technical and organisational security measures (§5).
  4. Engage sub-processors only under equivalent obligations and with the school's general authorisation, notifying changes.
  5. Assist the school with data-subject rights requests and with its DPIA / security / breach-notification obligations.
  6. Notify the school without undue delay on becoming aware of a personal data breach.
  7. Delete or return all personal data at the end of the engagement (default: deletion within 30 days), save where UK law requires retention.
  8. Make available the information necessary to demonstrate compliance and allow for audits.

8. Data subject rights

Because we are a processor, rights requests (access, rectification, erasure, restriction, portability, objection) are handled by the school, which instructs us. We provide tools/assistance to export or delete data so the school can respond within statutory timeframes.

9. Retention and deletion

Data is retained for as long as the school needs it. On request, or on termination, the school's data is exported and/or deleted within a reasonable period (default 30 days).

10. Breach notification

We maintain detection and response procedures and will notify the affected school without undue delay of any breach affecting its data, providing the information the school needs to meet its own ICO and individual-notification duties.

11. Regulator and contact

This statement is provided to assist schools' due diligence and does not constitute legal advice. Schools remain responsible for their own data-protection compliance as controller.