Privacy Policy

The Royal Twirling Association (RTA) is committed to protecting the privacy and personal data of all individuals who interact with us. This Privacy Policy explains how we collect, use, store, and share your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

The RTA is the data controller for the personal data described in this policy. Our contact details are: Royal Twirling Association, Email: admin@royaltwirlingassociation.co.uk, Website: https://royaltwirlingassociation.co.uk

We collect and process the following categories of personal data:

Account & Registration Data: Full name, email address, phone number, password (encrypted), role (troupe leader, parent, dancer), and troupe affiliations.

Dancer Data: Dancer name, date of birth, age group, troupe membership, competition entries, and performance records.

Child-Specific Data: For dancers under 16, we collect parent/guardian name, contact details, relationship to the child, emergency contact name and phone number, and medical information (allergies, conditions, or other relevant health information provided voluntarily).

Payment Data: Payment transactions are processed by Stripe. The RTA does not store your full card details. We retain transaction records including amounts, dates, and invoice references.

Contact Form Data: Name, email address, subject, and message content submitted via our contact form.

Technical Data: IP address, browser type, pages visited, and cookies (see Section 8).

We use your personal data for the following purposes: to register and manage your RTA account; to process troupe affiliations, dancer registrations, and competition entries; to process payments for memberships, competition entries, and event tickets; to communicate with you about events, competitions, and RTA news; to fulfil our safeguarding obligations (including maintaining records of DBS checks and safeguarding concerns); to respond to your enquiries via the contact form; to comply with legal and regulatory obligations; and to improve our website and services.

We process your personal data on the following legal bases:

Contract: Processing necessary to perform our contract with you (e.g., registration, competition entry, payment processing).

Legitimate Interests: Processing necessary for our legitimate interests (e.g., improving our services, communicating about events), provided these are not overridden by your rights.

Legal Obligation: Processing necessary to comply with our legal obligations (e.g., safeguarding, health and safety).

Consent: Where you have given specific consent (e.g., photography consent, marketing communications). You may withdraw consent at any time by contacting us.

For special category data (e.g., medical information), we rely on explicit consent or the processing being necessary for reasons of substantial public interest (safeguarding of children).

We may share your personal data with the following third parties:

Supabase (database hosting): Your account and registration data is stored securely on Supabase servers. Supabase is compliant with SOC 2 Type II.

Stripe (payment processing): Payment data is shared with Stripe to process transactions. Stripe is PCI DSS Level 1 compliant.

Resend (email delivery): Your email address is shared with Resend to deliver transactional emails (e.g., registration confirmations, password resets).

Law enforcement or regulatory bodies: Where required by law or to protect the safety of a child or vulnerable adult.

We will never sell your personal data to third parties.

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected:

Account data: Retained for the duration of your account plus 2 years after account deletion or last activity.

Dancer and competition records: Retained for 3 years after the dancer's last competition entry.

Payment records: Retained for 6 years in accordance with HMRC requirements.

Safeguarding records: Retained in accordance with statutory guidance (typically 25 years or until the individual reaches the age of 25, whichever is longer).

Contact form submissions: Retained for 1 year.

When personal data is no longer required, it will be securely deleted or anonymised.

Under UK GDPR, you have the following rights regarding your personal data:

Right of Access: You can request a copy of the personal data we hold about you.

Right to Rectification: You can request that we correct any inaccurate or incomplete data.

Right to Erasure: You can request that we delete your personal data (subject to legal retention requirements).

Right to Restrict Processing: You can request that we limit how we use your data.

Right to Data Portability: You can request your data in a structured, commonly used format.

Right to Object: You can object to processing based on legitimate interests.

Right to Withdraw Consent: Where processing is based on consent, you can withdraw it at any time.

To exercise any of these rights, please contact us at admin@royaltwirlingassociation.co.uk. We will respond within one month.

Our website uses essential cookies that are necessary for the site to function (e.g., authentication session cookies). We do not use advertising or tracking cookies.

Essential cookies include session authentication tokens stored by Supabase to keep you logged in. These cookies are strictly necessary and do not require consent under UK GDPR.

We take the security of your personal data seriously. Measures include: encryption of data in transit (HTTPS/TLS) and at rest; secure password hashing; access controls limiting who can view personal data; regular security reviews; and use of reputable, security-certified third-party providers (Supabase, Stripe, Vercel).

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Information Commissioner's Office (ICO) within 72 hours and inform affected individuals without undue delay.

We recognise the importance of protecting children's personal data. For dancers under 16, we require parental or guardian consent before collecting and processing their data. Parents and guardians can exercise data rights on behalf of their children by contacting us.

We may update this Privacy Policy from time to time. Any changes will be posted on this page with an updated "Last Updated" date. We encourage you to review this policy periodically.

If you have any questions about this Privacy Policy or wish to exercise your data rights, please contact us at admin@royaltwirlingassociation.co.uk.

If you are not satisfied with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO): Website: https://ico.org.uk, Telephone: 0303 123 1113.