Privacy Policy
Last updated: 4 June 2026
1. Who we are
ClubVault is a sports club management platform operated by Inkarr ("we", "us", "our"). Our registered service is available at www.clubvault.app.
For any privacy-related queries, contact us at: privacy@clubvault.app
2. What data we collect
We collect the following categories of personal data:
- Account data: name, email address, password (hashed)
- Player data: full name, date of birth, position, team
- Medical data: medical conditions, allergies, emergency contacts, consent records — collected only for registered players
- Payment data: subscription status, invoice history. Card details are processed and stored solely by Stripe — we never store card numbers
- Usage data: pages visited, actions taken within the dashboard (for troubleshooting and service improvement)
- Communications: emails sent via the platform (payment receipts, announcements, event notifications)
3. How we use your data
| Purpose | Legal basis |
|---|---|
| Providing club management services | Contract performance |
| Processing subscription payments | Contract performance |
| Sending payment receipts and invoices | Contract performance |
| Storing player medical information | Explicit consent (parent/guardian) |
| Sending club announcements and event notifications | Legitimate interests / consent |
| Complying with legal obligations (e.g. financial records) | Legal obligation |
| Improving and securing the platform | Legitimate interests |
4. Children's data
ClubVault is used to manage junior players (under 18). We take the following steps to protect children's data:
- Under-18 players do not have their own login accounts. A parent or guardian account is required.
- Medical and personal data for minors is only entered by a verified parent or guardian who provides explicit consent at the point of registration.
- Medical data is accessible only to authorised club staff (managers and above) who have a legitimate need.
- When a player leaves the club, their medical data is soft-deleted immediately and permanently deleted after 30 days.
- We comply with the UK GDPR and the Children's Code (Age Appropriate Design Code) issued by the ICO.
5. Who we share your data with
We share data only with the following trusted third-party processors:
- Supabase — database and authentication hosting. Data is stored in the EU West (London) region.
- Stripe — payment processing. Stripe is PCI-DSS compliant. See Stripe's Privacy Policy.
- Resend — transactional email delivery (receipts, notifications). See Resend's Privacy Policy.
- Vercel — platform hosting and edge network.
We do not sell personal data to any third party.
6. Data retention
- Active accounts: data is retained for as long as the account is active.
- Medical data: soft-deleted when a player leaves; permanently deleted after 30 days.
- Payment records: retained for 7 years to comply with HMRC financial record-keeping requirements.
- Deleted accounts: personal data is removed within 30 days of an account deletion request.
7. Your rights
Under UK GDPR you have the right to:
- Access the personal data we hold about you
- Rectify inaccurate data
- Erase your data ("right to be forgotten")
- Restrict processing of your data
- Data portability — receive your data in a machine-readable format
- Object to processing based on legitimate interests
- Withdraw consent at any time where processing is based on consent
To exercise any of these rights, email privacy@clubvault.app. We will respond within 30 days.
8. Cookies
ClubVault uses only essential cookies required for authentication and session management. We do not use advertising or tracking cookies.
9. Security
We use industry-standard security measures including TLS encryption in transit, encrypted storage at rest, row-level security policies on the database, and multi-factor authentication support. We conduct regular security reviews.
10. ICO registration
We are registered with the Information Commissioner's Office (ICO) as required under UK GDPR for organisations processing personal data.
- Registration reference: ZC165873
- Data Protection Officer: Peter Wilson
- Contact: privacy@clubvault.app
- Registration expires: 3 June 2027
You can verify our registration on the ICO public register.
11. Changes to this policy
We may update this policy from time to time. We will notify club administrators of any material changes by email. The date at the top of this page shows when it was last updated.
12. Contact and complaints
For any privacy concerns, contact us at privacy@clubvault.app.
If you are not satisfied with our response, you have the right to lodge a complaint with the ICO at ico.org.uk/make-a-complaint.