Privacy Policy

Website, Events & Membership

Last Updated: April 2026

1. Introduction

This Privacy Policy explains how Cambridge Taekwon-Do (“we”, “us”, “our”) collects, uses, and protects your personal data when you:

Visit our website
Purchase event tickets
Join as a member or train with us

We are committed to protecting your privacy and complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Data Controller

Cambridge Taekwon-Do
Website: https://www.cambs-tkd.co.uk/
Email: contact@cambs-tkd.co.uk

3. What Data We Collect

a) Website Users

We do not collect any personal data from visitors to our website through forms or tracking tools.
Contact details (email and phone number) are displayed on the website for you to reach us. If you choose to contact us, we will collect only the information you provide in that communication.
Google, as the website host, may collect standard usage data (such as IP address and browser information) in accordance with Google's Privacy Policy.

b) Event Attendees

Identity data: Name
Contact data: Email, phone number
Transaction data: Ticket purchases and references
Event responses: Form answers and comments
Attendance data: Check-in records
Consent records

c) Members (Club Management System)

Identity data: Name
Contact data: Email, phone number
Emergency contact details (primary/secondary contacts)
Membership records (attendance, grading history, training progress)
Communication records

d) Health Information (Special Category Data)

We may collect limited health information (for example injuries, medical conditions, or relevant physical limitations) where you choose to provide it.

This data is:

Used solely to support safe participation in training
Optional, but strongly recommended
Not used for medical diagnosis or record-keeping
Accessible only to instructors or authorised personnel where necessary for safety
These data will be encrypted at the storage

e) Children’s Data

We may collect personal data relating to children where they are enrolled as members of the club. In such cases, this data is provided by a parent or legal guardian, and consent is given on their behalf.

We take additional care to ensure that children’s data is handled securely and only used for training, safety, and membership management purposes.

4. Lawful Basis for Processing

We rely on the following lawful bases under UK GDPR:

Contract (Art. 6(1)(b)) – To provide memberships, training, and event services
Consent (Art. 6(1)(a)) – For optional data and specific uses
Legal obligation (Art. 6(1)(c)) – For insurance, safeguarding, and financial compliance
Legitimate interests (Art. 6(1)(f)) – To operate and improve the club safely and effectively

Special Category Data (Health)

We process health data only with:

Explicit consent (Art. 9(2)(a))

5. How We Use Your Data

We use your data to:

Manage memberships and training records
Deliver events and issue tickets
Communicate important updates (e.g. schedule changes, gradings)
Maintain safety and respond to emergencies
Track attendance and progression
Prevent fraud and resolve disputes

We will never:

Sell or rent your data
Use your data for marketing without explicit consent
Share your data with advertisers

6. Photos and Videos

We may take photos or videos during training sessions or events for:

Coaching and development purposes
Internal club use
Promotional materials (e.g. website or social media)

Where required, we will rely on consent for promotional use.
You may opt out at any time by contacting us at contact@cambs-tkd.co.uk

7. Data Sharing

We only share the minimum necessary data with trusted service providers:

Stripe, Inc. (payment processing) - PCI DSS Level 1 certified. Your card details are tokenised on Stripe's servers; we see only a transaction reference. Stripe Privacy Policy
Amazon Web Services (AWS) - Secure data storage, Dublin, Ireland (eu-west-1) via Mongo DB
Vercel Inc. - Website hosting and delivery. Vercel processes request metadata (IP addresses, browser information, timestamps) for security and performance. Standard Contractual Clauses and a Data Processing Agreement are in place. Vercel Privacy Policy | Vercel DPA
Email providers (Mailgun / Mailtrap) - Used solely to dispatch confirmations and communications. Mailgun Privacy Policy
Event venues or governing bodies - where required for safety or compliance
Law enforcement / courts - Only if compelled by a valid legal order; we will notify you where legally permitted

We may also share data where required by law.

8. Data Storage & Security

Your data is stored securely using industry-standard measures:

Encrypted storage on AWS (Ireland – EEA)
Encryption in transit (TLS 1.2+)
Field-level encryption (AES-256-CBC)
Role-based access controls: Only authorised individuals can access production data.
Brute-force protection and rate limiting on authentication endpoints
Regular backups and security reviews

Despite these measures, no internet transmission or storage system can be guaranteed 100% secure. In the event of a data breach that is likely to result in a risk to your rights, we will notify the ICO within 72 hours and inform affected individuals without undue delay.

Access to Personal Data

Access to personal data is strictly limited to authorised individuals who require it to perform their role. This may include:

Instructors (for training delivery and safety)
Club administrators (for membership and event management)
System administrators, including the application developer, solely for technical maintenance, support, and security purposes

All access is controlled and data is handled confidentially.