Privacy Policy
This Privacy Policy explains how SportsDayPro ("the Service", "we", "us") collects, uses, stores and protects personal data when a school uses the Service to manage its sports day.
SportsDayPro is operated by SportsDayPro (sole trader Ralph Barlow), based in the United Kingdom. Contact: info@sportsdaypro.com.
1. Our role: data processor, not controller
When a school uses SportsDayPro, the school is the data controller and SportsDayPro is the data processor acting on the school's documented instructions, as defined by the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
This means:
- The school decides what pupil, parent and staff data is entered into the Service and why.
- We only process that data to provide the Service to the school, and never for our own purposes.
- A Data Processing Agreement (DPA) governs this relationship — see the Data Protection & GDPR Compliance Statement.
Requests from pupils, parents or staff to access, correct or erase their data should be directed to their school in the first instance; we will assist the school in fulfilling them.
2. What personal data we process
We process only the data a school chooses to enter or sync into the Service. Typically this includes:
| Category | Examples |
|---|---|
| Pupil identity | Name, year group, form/tutor group, house, sex/category (used to enter athletes into the correct events) |
| Pupil participation data | Event entries, heat/lane allocations, results, points, records, certificates, volunteering roles |
| Parent/guardian data | Name and email address (only where a school enables parent access) |
| Staff data | Name, email address, role/permission tier |
| Account & authentication data | Email address, hashed password (where email/password sign-in is used), and the identifier returned by Microsoft or Google when single sign-on is used |
| Technical data | IP address, browser type and log/diagnostic data generated when using the Service |
We do not intentionally collect special category data (e.g. health, ethnicity, religion). Schools are instructed not to enter such data into free-text fields. The recording of a pupil's sex/competition category is limited to what is necessary to organise sex-categorised athletic events.
3. Why we process it (lawful basis)
We process personal data on behalf of the school. The school's lawful basis is normally the performance of a public task (the provision of education) or its legitimate interests in running school activities. We rely on the school's instruction and the contract (DPA) between us as our basis for processing as a processor.
We do not:
- sell personal data;
- use personal data for advertising or marketing;
- carry out automated profiling or decision-making that produces legal or similarly significant effects.
4. Where your data is stored (data residency)
All personal data is stored and processed within the United Kingdom.
- Hosting and database: Microsoft Azure, UK South region (Microsoft's UK data centres).
- The application runs on Azure App Service and data is held in an Azure SQL Database.
- No personal data is transferred outside the UK. Where an optional integration involves a sub-processor (see §6), data remains within the UK/EEA under that provider's UK data-residency arrangements.
5. How we keep data secure
We apply technical and organisational measures appropriate to the risk, including:
- Encryption in transit — all connections use TLS (HTTPS).
- Encryption at rest — Azure SQL Transparent Data Encryption.
- Tenant isolation — each school's data is logically separated. Database row-level security enforces that one school can never read another school's records, and is fail-closed (no school context = no rows returned).
- Access control — role/permission tiers (Student, Staff, Admin) restrict what each user can see and do; passwords are stored only as salted hashes.
- Least-privilege administration and audited, restricted access to production systems.
6. Sub-processors
We use a small number of trusted sub-processors, all of which offer UK/EEA data residency and appropriate GDPR safeguards:
| Sub-processor | Purpose | Location |
|---|---|---|
| Microsoft Azure | Application hosting and database | UK (UK South) |
| Microsoft (Microsoft Graph) | Sending email and calendar invitations from the school's own mailbox — only where the school enables this and grants consent | UK/EEA |
| Sign-in (OAuth) — only where a user chooses Google sign-in | UK/EEA |
We will inform schools of any intended changes to our sub-processors so they may object.
7. Data retention
We retain personal data only for as long as the school requires it to run the Service. A school may request export or deletion of its data at any time. On termination of service, we delete or return the school's personal data within a reasonable period (normally 30 days), subject to any legal retention obligations.
8. Your rights
Under UK GDPR, data subjects have rights to access, rectification, erasure, restriction, objection and portability. Because we act as a processor, please exercise these rights through your school, which will instruct us as necessary. We will support the school in responding within statutory timeframes.
9. Children's data
SportsDayPro processes data about children. We treat this data with particular care, restrict access to it on a need-to-know basis, and do not use it for any purpose other than providing the Service to the school. Parent/pupil accounts are created only at the school's direction.
10. Cookies
We use only cookies that are strictly necessary for the Service to function (e.g. authentication and session management). We do not use advertising or third-party tracking cookies. See our separate Cookie Policy for details.
11. Data breaches
We maintain procedures to detect, report and investigate personal data breaches. In the event of a breach affecting a school's data, we will notify the affected school without undue delay so it can meet its own notification obligations to the Information Commissioner's Office (ICO) and affected individuals.
12. Changes to this policy
We may update this policy from time to time. Material changes will be communicated to subscribing schools.
13. Contact
For any privacy question about SportsDayPro:
SportsDayPro (sole trader Ralph Barlow)
Email: info@sportsdaypro.com
If you are a pupil, parent or member of staff, please contact your school's Data Protection Officer in the first instance. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) — ico.org.uk.