Data Protection
Your data, your rights.
We collect personally-identifiable data from our members and committee for the purposes of invoicing, payment processing, communicating, and providing services. We never collect data for the purposes of third-party sharing with the intent to gain profit.
What data do we collect?
Information we collect to identify our members includes, but is not explicitly limited to;
Full Legal Name
Date of Birth
Home Address
Email Address
Payment Information (Long card, CVV, Expiry)
Payment Card Type (Mastercard, Visa, Apple Pay, Google Pay)
Vehicle Make/Model/Registration
All of this information can be used to identify our members, and is collected for the purposes of providing services or communicating with our group.
How is this data stored?
PII (Personally-Identifiable Information) is stored by our data provider(s), BellProton and Stripe (Payments Provider), and is secured to government compliance standards, FIPS and GDPR. Proprietary security technologies are used in the safe-custody of data, and our providers are legally-required to make the public aware of any breaches.
How is this data used?
PII is submitted and stored for later use internally via the following flow;
Data Input - The end-user submits data through the website, or via our secure payments provider, Stripe.
Data Transmission - PII data is made available solely to the DPO (Data Protection Officer) at BellProton with the sole purpose of providing membership services to members of Bathspeleo. Data is viewed by one person programmatically with access to the payment provider.
Data Storage - Data is classified by the need for reasonable use, and is stored on the club's intranet system. The only data visible to more individuals than the sole DPO, is that which may be used to contact members regarding their membership status. (First Name, Last Name and Email Address), and no other data is made available.
Data At-Rest - Any further data is held securely for as long as is reasonably necessary to provide membership services, or for the purposes of fraud prevention, which is standard for payment processing requirements.
Data may be shared with the British Caving Association in order to provide a full membership. This is information that they reasonably require to provide liability insurance and other membership services to our members.
Reasonable Retention.
We are required legally to audit our data practices, and do so regularly. Your data is only stored within our systems for as long as is reasonably necessary to provide membership services to you. Once any membership or agreement ends, information is deleted from our systems within 28 days** - Your statutory rights are not affected by this procedure, and you can make any formal requests to contact@bathspeleo.com - Where our DPO will respond within 28 Days to any requests for access/removal.
**Exceptions Apply; Financial services require certain information to be retained for longer periods for the purposes of fraud prevention.
Rights to access and right to be forgotten.
You have the right to be made aware of which personally-identifiable data points we have stored about you, so we have a robust and dedicated system in place for handling SAR (Subject Access Requests), you can email contact@bathspeleo.com with the subject line "FAO: DPO SAR" and we will be in touch within 28 working days with further information in relation to your request, upon verifying your identity.
You also have the right to be forgotten, and we will handle requests for such in the same manner. Please note that if you request to be forgotten from our systems, any subsequent membership will be terminated immediately, and the BCA will be notified, thus ending your membership and liability insurances.
Policy Effective: 08/12/2023 // Last Updated: 08/12/2023