Privacy

Last updated: 18 May 2018

Overview

In accordance with the General Data Protection Regulation, personal data is “any information relating to an identified or identifiable natural person” such as a name, email address, postal address or IP address. Processing of personal data refers to “any operation or set of operations which is performed on personal data”.

This privacy policy sets out how and why Whitley Warriors Ice Hockey Club processes any personal data that you give us when you use this website or any of our associated online systems. It is written in plain language with as little jargon as possible. It is set out in sections to make it easier to understand.

Your Account

Your Account

What personal data do we process?

When you set up an account on our website we collect your email address. You then have the option to add your first name, surname, billing address and shipping address. Additionally, you may opt for our website to store your payment details. This is held in an tokenised format – see the E-Commerce section below for more details.

Why do we process this personal data?

Your email address is required to send you instructions on how to set your account password and to identify your user account. Your first name, surname, billing address, shipping address and payment method are used to make your online shopping experience smoother by pre-filling these fields at the checkout. The lawful basis for processing this data is contractual necessity.

How long do we keep this personal data for?

This data is kept until you delete your account.

Who has access to this personal data?

Our payment processor has access to your encrypted payment details – see the E-Commerce section below for more details. Our website team has access to this personal data. It is not shared with any other third party unless we are legally required to do so.

E-commerce

E-commerce

What personal data do we process?

When you place an order on our website, we collect the following personal data:

  • Billing details
    • First name
    • Surname
    • Company name (optional)
    • Street address
    • Town/city
    • County
    • Postcode
    • Country
  • Shipping details (optional)
    • First name
    • Surname
    • Company name
    • Street address
    • Town/city
    • County
    • Postcode
    • Country
  • Email address
  • Telephone number
  • IP address

Additionally, certain data is collected by Google Analytics when you make a purchase from our website – please see the Google Analytics section below for more details.

Why do we process this personal data?

Billing details are required to process the debit or credit card transaction and for delivery of the item(s) ordered. Credit and debit card transactions are handled by Stripe on behalf of Whitley Warriors Ice Hockey Club. Your card details are encrypted (known as tokenisation) by your web browser before they are transmitted securely to Stripe, who will then process the transaction. We do not have access to your credit or debit card details at any time and we do not hold untokenised credit or debit card details on our server. The tokenised version of your card details, which can only be decrypted by Stripe, is stored on our server if you select the option to save your payment method in your account.

Shipping details are only required if the item(s) ordered are to be delivered to a different address to the billing details. Your email address is used to contact you regarding your order. Your telephone number is required in case we need to get in touch urgently regarding your order for example if an item in your order is time-limited in some way,

We require your IP address to locate which country you are in because sales are currently restricted to the United Kingdom.

The lawful basis for processing this data is contractual necessity.

How long do we keep this personal data for?

We keep the transaction data for six years from the date of the transaction.

Who has access to this personal data?

Stripe has access to your billing details so they can process the transaction. You can see their privacy policy at stripe.com/gb/privacy. Our website and e-commerce teams have access to this personal data. It is not shared with any other third party unless we are legally required to do so.

Mailing Lists

Mailing Lists

What personal data do we process?

When you sign up to our mailing list, we collect your name, surname and email address.

There are various forms throughout the website that can be used to subscribe to the mailing list. Subscribing requires explicit consent on the form and a further opt-in via email.

Why do we process this personal data?

Your email address is required to send you our promotional emails. Your first name and surname are required to personalise the ‘To’ field and greeting line of the email. The lawful basis for processing this data is consent.

How long do we keep this personal data for?

This data is kept until it is manually removed. If you unsubscribe, your data will remain on the list but will be marked as ‘Unsubscribed’ and you will not receive any further emails. This is to keep any preferences you may have set when you were subscribed in the event of you re-subscribing to the list.

Who has access to this personal data?

Our email mailing list provider is MailChimp. You can find their privacy policy at mailchimp.com/legal/privacy. Our website team has access to this personal data. It is not shared with any other third party unless we are legally required to do so. Our MailChimp account has two-factor authentication activated in case of an attempted hack using login credentials.

MailChimp is certified to the EU-U.S. Privacy Shield Framework, enabling us to legally transfer contact data from the EU to MailChimp’s servers in the USA in accordance with our MailChimp data processing agreement.

How do I change or remove my personal data from your mailing list?

Contact us and let us know you want your personal data to be deleted from the marketing list. We will manually remove your data and confirm this to you by email when it is completed. To change your information, click the link in the footer of any promotional email from us.

Contact Forms

Contact Forms

What personal data do we process?

There are various contact forms in use throughout our website. Every contact form will collect your first name, surname and email address. Certain contact forms may also collect your telephone number. Contact form data is emailed to us securely.

Why do we process this personal data?

We collect your email address so we can reply to your message if necessary. Every contact form will send an automated reply to notify you that your message has been sent. The lawful bases for processing this data are consent and contractual necessity should a reply be required.

How long do we keep this personal data for?

Personal data from contact forms is kept for varying lengths of time depending on the reason for contact. General queries from the public will be archived until the end of the current ice hockey season, after which they will be deleted unless there is a legitimate reason to retain them for longer. Messages that require forwarding to specific members of the Club’s management team may also be retained for longer.

Who has access to this personal data?

Our website team has access to this personal data in the first instance. If the query requires the attention of another member of the Club’s management team, the appropriate member will also have access to the personal data. It is not shared with any third party unless we are legally required to do so.

Location Services

Location Services

What personal data do we process?

Our website collects your location using your device’s GPS data if you grant us permission to do so using the permissions functions of your device.

Why do we process this personal data?

This data is used to provide directions from your current location to Whitley Bay Ice Rink. The lawful basis for processing this data is consent.

How long do we keep this personal data for?

This data is not retained or stored on our systems.

Who has access to this personal data?

Directions are provided by Google Maps. You can find their privacy policy at policies.google.com/privacy. We do not have access to this personal data.

Text Voting

Text Voting

What personal data do we process?

We collect your mobile telephone number.

Why do we process this personal data?

We require your mobile number in order to ascertain the number that has sent us the text message so we can prevent the same number voting multiple times. The vote may also require us to send a text message reply to a voter. For example, a voter may be able to win a prize as an incentive to cast a vote and winners would be notified by text message. The lawful basis for processing this data is contractual necessity.

How long do we keep this personal data for?

We retain this personal data until the vote has closed, as per the terms and conditions of that vote, and we have noted the winner(s) of the vote unless we are sending a text message reply. In this instance, we will delete all personal data except the number(s) requiring replies. This data will be deleted once no further communication is required.

Who has access to this personal data?

Our SMS systems provider is Text Local. You can find their privacy policy at textlocal.com/legal/privacy. Your mobile number is stored on their servers for the timescale mentioned above. Our website team has access to this personal data. It is not shared with any other third party unless we are legally required to do so.

Amazon Alexa

Amazon Alexa

What personal data do we process?

We do not process any personal data in our Alexa skill. You can find Amazon’s terms and conditions for Alexa at amazon.co.uk/gp/help.

Google Analytics

Google Analytics

What personal data do we process?

We track users’ visits to our website using Google Analytics including where the user was directed to our website from, which pages they visited and for how long, whether they are a first-time visitor or returning visitor. Google Analytics will also track anonymous user demographics including age range, gender and users’ interests depending on whether the user is signed into a Google account on their browser at the time of their visit to our website. Users’ IP addresses are anonymised.

Additionally, Google Analytics will track purchases made on our website. Individual order numbers will be recorded by Google Analytics which, in association with our non-public e-commerce sales records, will allow a user to be personally identified. No other personal data is included.

Why do we process this personal data?

We use this data to track our website’s popularity and to see which pages are our most visited, allowing us to enhance our website accordingly. We use e-commerce data to measure conversions based on where the user was directed to our site from in order to ascertain where we should concentrate our marketing efforts. The lawful basis for processing this data is legitimate interests.

How long do we keep this personal data for?

Google Analytics data is held for 26 months.

Who has access to this personal data?

Our website team has access to this personal data. It is not shared with any other third party unless we are legally required to do so.

Website Security

Website Security

Our website is secured by SSL to ensure data transferred between our server and your device is encrypted. Our email server is also secured by SSL.

We have security software and procedures in place on our website to reduce the risks of a data breach. For example, login forms are protected so that if you enter the wrong login details five times within five minutes, you will be suspended from logging in for a further five minutes. This deters brute force attacks from bots. We have a firewall on our website that will immediately ban or limit suspicious web traffic depending on its type.

Our entire server is backed up on daily basis and is securely transferred to an Amazon Web Services storage facility in Ireland. We retain Monday to Saturday’s backups for seven days. Sunday’s backup is retained for one calendar month.

Data breaches

We have procedures in place to detect, report and investigate personal data breaches.

If a data breach is detected, in the first instance we will evaluate the risk to the rights and freedoms of individuals. If a data breach is likely to result in a risk to these rights and freedoms we will notify the Information Commissioner’s Office within the required 72 hours of discovery of the data breach. If a data breach is not likely to result in a risk to the rights and freedoms of individuals, we are not required to notify the ICO of the breach but will document the breach and our reasons for not notifying the ICO.

Where a breach is likely to result in a high risk to the rights and freedoms of individuals, we will notify the affected individuals without undue delay.

Can I see or remove the personal data your website holds relating to me?

Yes, of course. Enter your registered account email address in the form below (if you’re logged in it’ll already be in the box) and select whether you’d like us to send you your data or remove your data. You’ll receive a confirmation email – click the link in the email to confirm your request.

Send me my dataDelete my data