1. Data Controller
The data controller responsible for your personal data is:
Take The Next Step 121Luton, Bedfordshire, United Kingdom
Email: info@takethenextstep121.com
Phone: 07392 756909
2. What Personal Data We Collect
The following table summarises the categories of personal data we collect, where it comes from, and why we collect it.
| Data Category | Specific Data | Source | Purpose |
|---|---|---|---|
| Parent/Guardian identity | First name, last name | Registration, checkout | Service provision |
| Parent/Guardian contact | Email, phone | Registration, checkout | Booking communications |
| Child identity | First name, last name | Checkout, portal | Service provision |
| Child date of birth | Date of birth | Checkout, portal | Age verification, group placement |
| Child health | Medical conditions | Checkout, portal | Safety, duty of care |
| Emergency contact | Name, phone, relationship | Checkout | Child safety |
| Secondary guardian | Name, email, phone, relationship, pickup authorisation | Checkout | Child safety, pickup authorisation |
| Account credentials | Email, password (hashed) | Registration | Account access |
| Payment | Card details (via Stripe – never touch our servers) | Checkout | Payment processing |
| Digital signatures | Signature image, signer name | Checkout | Legal compliance (waivers, guardian declaration) |
| Consent records | Marketing consent, photo consent, terms acceptance | Checkout, registration | Legal basis tracking |
| Communication preferences | Email/SMS preferences | Portal | Preference management |
| Contact form submissions | Name, email, phone, message | Contact form | Enquiry response |
| Technical data | IP address, user agent | Automatic | Security, fraud prevention |
| Cart data | Email, items, customer details | Automatic during checkout | Cart recovery |
3. How We Collect Your Data
We collect personal data through the following methods:
- Directly from you – when you fill in forms on our website, register for an account, complete the checkout process, or contact us.
- Automatically – through cookies, server logs, and IP address collection when you use our website.
- From third parties – Stripe payment confirmations received via webhooks when you complete a payment.
4. Legal Basis for Processing
Under the UK GDPR, we rely on the following legal bases to process your personal data:
- Contract performance – processing necessary to provide the football coaching services you have booked, manage your account, and fulfil our contractual obligations to you.
- Legitimate interests – processing necessary for our legitimate interests, including website security, fraud prevention, and abandoned cart recovery, where those interests are not overridden by your rights.
- Consent – where you have given clear consent for us to process your data for specific purposes, including marketing communications and photo consent.
- Legal obligation – processing necessary to comply with legal requirements, including financial records retention as required by HMRC.
5. Children's Data – Special Protections
As a children's football coaching service, the protection of children's data is of paramount importance to us.
- We collect children's data solely to provide football coaching services safely and effectively.
- Data collected is limited to: name, date of birth, and medical conditions relevant to safe participation in physical activities.
- All children's data is provided by parents or guardians – we never collect personal data directly from children.
- We do not profile children or use their data for marketing purposes.
- Parental or guardian consent is obtained via a guardian declaration with digital signature during the checkout process.
UK ICO Children's Code Compliance
We are committed to compliance with the UK ICO Age Appropriate Design Code (Children's Code). Our approach includes:
- Best interests of the child – the child's best interests are a primary consideration in all data processing decisions.
- Data minimisation – we collect only the minimum data necessary to provide our services safely.
- No detrimental use – children's data is never used in ways that are detrimental to their wellbeing.
- Transparency for parents – parents and guardians are given clear, accessible information about how their child's data is used.
6. How We Use Your Data
We use your personal data for the following purposes:
- Provide football coaching services and manage bookings.
- Process payments securely via Stripe.
- Send booking confirmations and session reminders.
- Send marketing communications (with your consent only).
- Maintain security and prevent fraud via audit logging.
- Send abandoned cart recovery emails (legitimate interest, with easy opt-out).
7. Data Sharing and Third-Party Processors
We share your data with the following third-party processors who help us deliver our services:
| Processor | Purpose | Data Shared | Location |
|---|---|---|---|
| Stripe | Payment processing | Email, payment card details (via Stripe Checkout) | US/EU |
| Firebase/Google Cloud | Authentication + database | User/booking/child data, auth credentials | EU |
| Vercel | Web hosting + CDN | HTTP logs, IP addresses | Global CDN (US HQ) |
| Resend | Transactional + marketing email | Email addresses, names, email content | US |
| Google Sheets | Legacy booking/contact backup | Booking details, contact form data | US |
| Google Fonts | Web fonts | IP address (browser request) | US |
We never sell your personal data to third parties.
8. International Data Transfers
Some of our third-party processors are based in the United States (Stripe, Vercel, Resend, Google). When your data is transferred outside the UK, it is protected by:
- UK adequacy decisions where applicable.
- Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office.
- All processors are committed to data protection standards equivalent to or exceeding UK GDPR requirements.
9. Data Retention
We retain your personal data only for as long as necessary for the purposes it was collected. Specific retention periods are:
- Booking records – retained while your account is active plus 6 years afterwards (HMRC tax record requirements).
- Audit logs – IP addresses anonymised after 90 days; full records deleted after 2 years.
- Abandoned carts – automatically expire and are deleted after 7 days.
- Account data – retained until you request account deletion.
- Contact form data – retained for correspondence tracking purposes.
- Waiver signatures – retained for the duration of the booking plus the legal retention period.
10. Data Security
We take the security of your personal data seriously and implement appropriate technical and organisational measures, including:
- Encryption in transit (HTTPS/TLS, HSTS).
- Firebase security rules restricting database access to authorised users only.
- CSRF protection on all forms.
- Rate limiting on API endpoints.
- Input validation and sanitisation.
- Sensitive field redaction in audit logs.
- Content Security Policy headers.
11. Your Rights (UK GDPR)
Under the UK GDPR, you have the following rights regarding your personal data:
- Right of access – you can request a copy of the personal data we hold about you (a Subject Access Request).
- Right to rectification – you can request that we correct any inaccurate or incomplete personal data.
- Right to erasure – you can request that we delete your personal data (the “right to be forgotten”), subject to legal retention requirements.
- Right to restrict processing – you can request that we limit how we use your data in certain circumstances.
- Right to data portability – you can request a copy of your data in a structured, commonly used, machine-readable format.
- Right to object – you can object to the processing of your personal data, including for marketing purposes.
- Rights related to automated decision-making – you have the right not to be subject to decisions based solely on automated processing that significantly affect you.
- Right to withdraw consent – where processing is based on consent, you can withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal.
12. How to Exercise Your Rights
To exercise any of your rights, please contact us:
- Email: info@takethenextstep121.com
- We will respond to your request within 1 calendar month.
- Identity verification may be required to protect your data.
- To opt out of marketing communications, use the unsubscribe link in any marketing email or update your preferences in your account portal.
13. Complaints
If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the UK supervisory authority:
Information Commissioner's Office (ICO)Wycliffe House, Water Lane
Wilmslow, Cheshire, SK9 5AF
Website: ico.org.uk
We would appreciate the opportunity to address your concerns before you contact the ICO. Please reach out to us first at info@takethenextstep121.com.
15. Abandoned Cart Communications
If you begin the checkout process but do not complete your booking, we may send you recovery emails to help you complete your purchase. This is based on our legitimate interest in completing the transaction you started.
You can opt out of these emails by not providing your email address during checkout, or by contacting us at info@takethenextstep121.com to request removal.
16. Changes to This Policy
We may update this privacy policy from time to time to reflect changes in our practices or legal requirements. Any changes will be posted on this page with an updated “Last updated” date.
Where we make significant changes, we will make reasonable efforts to notify you by email where possible.
17. Contact Us
If you have any questions about this privacy policy or how we handle your personal data, please contact us:
Take The Next Step 121Luton, Bedfordshire, United Kingdom
Email: info@takethenextstep121.com
Phone: 07392 756909