Data Protection Policy

Reviewed: 4th of September, 2023

Next review date: September 2024

Terms and Definitions

“Agreement”, “Service Agreement” refers to a document signed between Squad In Touch Ltd and an organisation about terms and conditions of using Squad In Touch Digital Platform for Schools within the organisation.

“Data Protection Legislation” refers to : (i) the UK GDPR, and any applicable national implementing Laws as amended from time to time; (ii) the DPA 2018 to the extent that it relates to processing of personal data and privacy; (iiii) all applicable Law about the processing of personal data and privacy.

“Data Subject Access Request” refers to a request made by, or on behalf of, a Data Subject in accordance with rights granted pursuant to the Data Protection Legislation to access their Personal Data.

“DPA” refers to the Data Protection Act 2018.

“GDPR” refers to the UK GDPR (General Data Protection Regulation).

“Personal Data”, “Data Controller”, “Data Processor”, “Data Processing”, “Data Subject”, “Personal Data Breach”, “Data Protection Officer” shall be understood in their meanings as assigned by the UK GDPR and the DPA.

“Personal Data operated by Registered Organisations” refers to Personal Data of individuals who allow Registered Organisations to be a Data Controller on their Personal Data.

“Public Area” refers to the subset of Squad In Touch Digital Platform for Schools applications that can be accessed by anyone without registration or signing up.

“Public User(s)” refers to any or all individuals that use the Public Area of Squad In Touch Digital Platform for Schools without registration or signing up.

“Registered Organisation(s)” refers to any or all of the organisations, which use Squad In Touch Digital Platform for Schools in accordance with the Service Agreement.

“Registered Organisation Authorised Staff” refers to any or all of the Registered Organisation officials who are Registered Users and authorised by the Registered Organisation to perform particular operations with the Registered Organisation’s data as well as Personal Data of Registered Users that allow the Registered Organisation to be a Data Controller on their Personal Data.

“Registered User(s)” refers to any or all individuals that sign up to the Squad In Touch Digital Platform for Schools and agree with Squad In Touch’s Privacy Policy, Terms of Use and Accessible Use Policy.

“Restricted Area” refers to the area of Squad In Touch Digital Platform for Schools that can be accessed by Registered Users only.

“Squad In Touch Digital Platform for Schools” refers to the software developed by Squad In Touch Ltd as described on the official Company’s website and the services of its operations provided by Squad In Touch Ltd including, but not restricted to: hosting, maintenance, customer support, etc.

“Squad In Touch Ltd”, “Squad In Touch”, “Company”, “We”, “Us”, “Our” refers to Squad In Touch Ltd, a limited company registered in England and Wales (Company number 09657481), with the registered office at Pacific House, 382 Kenton Road, Harrow, Middlesex, HA3 8DP.

1 Introduction

1.1 Squad In Touch acts in the capacities of Processor and Controller of Personal Data.

1.2 The Company is a Data Processor in respect of the personal information entrusted to us by Registered Organisations within the Squad In Touch Digital Platform for Schools.

1.3 The Company acts as a Controller of Personal Data of Registered Users who sign up for their account with Squad In Touch Digital Platform for Schools and are offered a direct access to its functionality.

1.4 The Company is also a Data Controller in other cases, when we make decisions on how and why we will use Personal data. For example, as an employer, we hold records about our staff. Also, as a commercial organisation, we directly market our products to prospective customers – and some data used in these campaigns will be personal data.

1.5 Squad In Touch is committed to fulfilling its obligations under the UK General Data Protection Regulations (GDPR) and any subsequent data protection legislation. We have produced this policy to give such assurance to our customers and staff.

1.6 This Data Protection Policy is subject to ongoing review – at least annually - in light of changes in the law, guidance and working practice.

2 General statements of duties and scope

2.1 For the purposes of the Data Protection Legislation, Squad In Touch Ltd is and shall remain the Data Processor as a service provider to Registered Organisations. Squad In Touch Ltd does not act as the Data Controller of the Registered Organisations data and Registered Organisations shall retain sole ownership of all rights, title and interest in and to all of their data and shall have sole responsibility for the legality, reliability, integrity, accuracy and quality of their data.

2.2 Registered Organisations are and shall remain the Data Controller of the Personal Data of third parties inputted and processed on Squad In Touch Digital Platform for Schools by their Organisation’s Authorised Staff. The Company is required to process the relevant personal data regarding Personal Data operated by Registered Organisations as part of its operation and shall take all reasonable steps to do so in accordance with this Data Protection Policy and the Service Agreement.

2.3 The Company is committed to the protection of all personal data for which it holds responsibility as the Data Processor and the handling of such data in line with this Policy and the Principles of the UK GDPR and the DPA. The Freedom of Information Act 2000 and the Protection of Freedoms Act 2012 are also relevant to parts of this policy.

2.4 Individuals whose Personal Data is operated by Registered Organisations on Squad In Touch Digital Platform for Schools provide their consent for processing their Personal Data with or without using Squad In Touch Digital Platform for Schools. This is the sole responsibility of Registered Organisations to get individuals’ consent in accordance with the UK GDPR and the DPA prior to operate those individuals Personal Data within Squad In Touch Digital Platform for Schools.

2.5 Squad In Touch Digital Platform for Schools allows the Registered Organisations to grant access to the Personal Data operated by Registered Organisations on the Squad In Touch Digital Platform for Schools to Registered Users or to any Public Users.

2.6This is the sole responsibility of the Registered Organisations to get individuals’ consent in accordance with UK GDPR and the DPA prior to share those individuals’ data with Registered Users or Public Users.

2.7 The Company undertakes reasonable efforts on verifying Registered Users identity whilst they are signing up with Squad In Touch Digital Platform for Schools using one-off codes confirmation for email and mobile number.

2.8 This is the sole decision of the Registered Organisations with regards to whether to grant access to the Personal Data operated by Registered Organisations to Registered Users based on Registered Users identity verification results provided by Squad In Touch Digital Platform for Schools.

2.9 Squad In Touch Digital Platform for Schools allows Registered Organisations to revoke any access toany data they granted at any time.

2.10 For the purposes of the Data Protection Legislation, Squad In Touch Ltd is and shall remain the Data Controller to Registered Users. Squad In Touch Ltd acts as the Data Controller of the Registered Users’ Personal Data they input on Squad In Touch Digital Platform for Schools.

2.11 As the Data Controller of the Registered Users’ Personal Data, Squad In Touch Ltd describes how it collects, uses, processes, and discloses Registered Users’ Personal Data in conjunction with their access to and the use of Squad In Touch Digital Platform for Schools in Squad In Touch Privacy Policy.

2.12 The lawful basis for processing Personal Data of individuals signing up for an account with Squad In Touch Digital Platform for Schools is the consent of such individuals. In order to register an account with Squad In Touch Digital Platform for Schools each Registered User is required to read the Squad In Touch Squad In Touch Privacy Policy and to give their consent for their data to be processed. Individuals cannot access the Restricted Area without having an account with Squad In Touch Ltd.

2.13 The Company has appointed the Data Protection Officer (DPO) who will endeavour to ensure that all personal data is processed in compliance with this Data Protection Policy, UK GDPR and the DPA.

2.14 The Company is also committed to ensuring that its staff are aware of data protection policies, legal requirements and adequate training is provided to them.

2.15 The requirements of this Data Protection Policy are mandatory for all staff employed by the Company and any third party contracted to provide services within the Company.

2.16 The Company shall monitor and implement changes to Data Protection Legislation in order to remain compliant with all requirements.

2.17 Squad In Touch Ltd is registered under the Data Protection Act with the Information Commissioners Office (ICO) and its registration number is ZA190536. Full details of our processing activities can be found on the Information Commissioners Office (ICO) website via the link.

2.18 Changes to the type of data processing activities being undertaken shall be notified to the ICO and details amended in the register.

3 Notification

3.1 The Company, being a Data Processor, shall notify Registered Organisations (The Data Controllers) immediately if it becomes aware of a Personal Data Breach.

3.2 The Company, being a Data Controller, shall notify Registered Users immediately if it becomes aware of a Personal Data Breach.

3.3 There is an obligation of the Company as a Data Controller to report personal data breaches to the supervisory authority and where the breach is likely to adversely affect the personal data or privacy of the data subject.

4 Personal and Sensitive Data

4.1 For the purposes of this Data Protection Policy the definitions of personal and sensitive data shall be as those assigned by the UK GDPR and the DPA.

4.2 The Company encourages Registered Organisations and Registered Users to use enhanced data security measures such as:

  • Data minimisation – only data sufficient for identifying the Data Subject by Registered Users or Public Users needs to be provided;
  • Pseudonymisation – such as using the first letter of the surname rather than the full surname and/or using preferred names rather than full forenames.

4.3 Squad In Touch is not intended for handling sensitive data, including but not restricted to medical information. The “Pupils Medical Information” data fields on Squad In Touch Digital Platform for Schools should not be used for storing full medical details of pupils but rather for enabling Organisation Authorised Staff to have emergency medical data when out of the office to be able to provide relevant first aid. The Company recommends coding such information in a way only Registered Users from among Registered Organisation Authorised Staff can interpret.

5 Children data

5.1 When children’s Personal Data is processed by Registered Organisations (with or without using Squad In Touch Digital Platform for Schools) a prior parental/guardian permission must be obtained. When children between the ages of 13 and 17 are in question based on Registered Organisation’s Policies they can choose to obtain children’s consent rather than parental/guardian consent. This is the sole responsibility of Registered Organisations to ensure they have a parental/guardian and/or children’s consent prior to processing children data on the Squad In Touch Digital Platform for Schools.

5.2 When signing up for a Squad In Touch account each user is required to confirm they are of the age of 13 or over. Children under the age of 13 are not allowed to get access to the Squad In Touch Digital Platform for Schools without the consent of their parents/guardians. We make reasonable efforts to verify that the person giving consent does, in fact, hold parental responsibility for the child.

5.3 The Company does not knowingly collect personal information from any person who is under the age of 13 without a prior parental/guardian consent. If there is a reason to believe that We have collected Personal Data from a person under the age of 13 without a prior parental/guardian consent, we will delete this information as quickly as possible.

5.4 The Company Privacy Notices have been written to be clear for children so that they are able to understand what will happen to their Personal Data and what rights they have.

5.5 Children have the same rights as adults over their personal data as referred to within Section Six “Individual rights” of this Data Protection Policy. An individual’s right to erasure is particularly relevant if they gave their consent to processing when they were a child.

6 Individual rights

6.1 The Company commits to process the data in accordance with the data subject's rights according to the UK GDPR requirements:

  • The right to be informed;
  • The right of access;
  • The right to rectification;
  • The right to erase;
  • The right to restrict processing;
  • The right to data portability;
  • The right to object;
  • Rights in relation to automated decision making and profiling.

6.2 The Company shall notify Registered Users and Registered Organisations immediately once we have received any Individual’s request in relation with Personal Data operated by Registered Users or Registered Organisations and the Individual’s rights affected by the Registered User or Registered Organisations operations with individuals Personal Data.

7 Fair Processing and Privacy Notice

7.1 We shall be transparent about the intended processing of data and communicate these intentions via notification to Registered Users prior to the processing of their own Personal Data or Personal Data operated by Registered Users.

7.2 Depending on the age of children registering accounts with Squad In Touch Digital Platform for Schools they may be allowed to give their own consent for their data to be processed or relevant requests can be sent to their parents provided those parents are Registered Users.

7.3 As our Privacy Policy may address children, it is written in clear and plain language as required by the UK GDPR.

7.4 Any proposed change to the processing of Registered Users Personal Data or Personal Data operated by Registered Organisations shall first be notified to Registered Users and implemented after getting their permission.

7.5 The principles of the Data Protection legislation shall be applied to all data processed:

  • Ensure that data is fairly and lawfully processed;
  • Process data only for limited purposes;
  • Ensure that all data processed is adequate, relevant and not excessive;
  • Ensure that data processed is accurate;
  • Not keep data longer than is necessary;
  • Ensure that data is secure;
  • Ensure that data is not transferred to other countries without adequate protection.

8 Data Subject Access Requests

8.1 The Company, being a Data Processor, shall notify Registered Organisations immediately if it receives requests from individuals with regards to their rights related to processing of their personal data within Squad In Touch Digital Platform for Schools, i.e.:

  • A Data Subject Access Request (or purported Data Subject Access Request);
  • A request to rectify, block or erase any Personal Data;
  • Any other request, complaint or communication relating to individuals’ rights under the Data Protection Legislation;

8.2 The Company, being a Data Processor, shall also notify Registered Organisations (The Data Controller(s)) immediately if it receives:

  • Any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed within Squad In Touch Digital Platform for Schools;
  • A request from any third party for disclosure of Personal Data where compliance with such request is required or purported to be required by Law;

8.3 The Company’s obligation to notify under clause 8.1 and 8.2 of this Data Protection Policy shall include the provision of further information to the Registered Organisations in phases, as details become available.

8.4 Taking into account the nature of the processing, the Company shall provide the Registered Organisations with full assistance in relation to their obligations under the Data Protection Legislation and any complaint, communication or request made under clause 8.1 of this Policy and insofar as possible within the timescales reasonably required by the Registered Organisations including by promptly providing:

  • The Registered Organisations with full details and copies of the complaint, communication or request;
  • Such assistance as is reasonably requested by the Registered Organisations to enable the Registered Organisations to comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation;
  • The Registered Organisations, at their request, with any Personal Data it holds in relation to a Data Subject;
  • Assistance as requested by the Registered Organisations following any Data Breach;
  • Assistance as requested by the Registered Organisations with respect to any request from the Information Commissioner’s Office (ICO), or any consultation by the Registered Organisations with the Information Commissioner's Office.

8.5 To help the Registered Organisations to comply with their obligations with relation to the Data Subjects access requests and Data Portability requirements Squad In Touch Digital Platform for Schools contains an option to produce a comprehensive report with regards to the personal data of third parties processed within Squad In Touch Digital Platform for Schools.

8.6 The Company, being a Data Controller with relation to the Personal Data of Registered Users, shall comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation.

9 Photographs and Video

9.1 Squad In Touch Digital Platform for Schools provides tools for adding media files linked to the other system objects (fixtures, tournaments, messages, etc.) available to Registered Users only and with limitations as specified in clauses 9.2 - 9.5 of this Policy, the Service Agreement and the Terms of Use of Squad In Touch Digital Platform for Schools (if applicable).

9.2 Registered Users can add media files on Squad In Touch Digital Platform for Schools for their own use without access permissions to the other Registered Users or Public Users.

9.3 Registered Organisation Authorised Staff can grant permissions to view media files added by them or the other Registered Users to the other Registered Users or Public Users.

9.4 Registered Users can grant permission to view media files added by them to the other Registered Users.

9.5 This is the sole responsibility of Registered Organisation and Registered Users to get individuals’ consents in accordance with the UK GDPR and the DPA prior to sharing photos and videos which contain those individuals’ with other Registered users or Public Users.

10 Information security

10.1 Squad In Touch Digital Platform for Schools is externally hosted and delivered using secure servers operating Secure Sockets Layer (SSL) encryption to provide high level protection of the privacy and integrity of the data passed between Squad In Touch Digital Platform for Schools and users.

10.2 To provide higher individual users data protection Squad In Touch Digital Platform for Schools uses an increased strength-level for user passwords. We check user contact details (email, mobile phone number) when the new user is enrolled. The user passwords stored in the database is irreversibly encrypted, thus we completely prevent harm in case of passwords stealing.

10.3 Squad In Touch Digital Platform for Schools supports high secure multi-level role model of access to Registered Organisations’ data. Registered Organisations administrator users are able to revoke any permission to their Organisation’s data at any time for any reason.

10.4 Members of Squad In Touch support team have no access to Registered Organisations data. If we need an access for the Registered Organisation’s data for a support team member for particular data-related issues, our support team member asks Registered Organisation’s admin for temporary permission that can be revoked by school admin at any time.

10.5 Our technical maintenance staff have very strict requirements for access into the database and are regularly instructed to maintain and support measures for preventing unauthorized or unlawful access or use of school’s data. We do ensure that all technical maintenance team members having access to whole database are fully aware of their responsibilities with regards to the Registered Organisations’ Data protection including requirements of confidentiality and non-disclosure of any personal information.

10.6 Squad In Touch Ltd’s servers use strong authentication mechanisms based SHA1, SHA256 and RSA cryptography algorithms.

11 Hosting and storage of Personal Data

11.1 Squad In Touch Digital Platform for Schools is delivered to Registered Organisations from the cloud servers located in Ireland. We host our solution at the Amazon Data Centre (Amazon Web Service, AWS) which is fully compliant with security standards and requirements according to:

11.2 Details of Squad In Touch information security architecture on AWS are stated on Squad In Touch AWS Cloud Information Security Architecture and are available on request.

12 Text messages

12.1 Squad In Touch Digital Platform for Schools users are able to receive text messages from Squad In Touch. Each Registered User is required to confirm the code received via text message when signing up for an account with Squad In Touch Digital Platform for Schools. The code is sent tothe mobile number specified by the Registered user.

12.2 Squad In Touch uses Vonage SMS service and Twilio SMS service who send the content of each message to the number specified.

12.3 Our SMS providers then provide a Message ID for each of the messages sent which is later used to track delivery status of each SMS message.

12.4 Vonage’s information security details are available via this link: https://www.vonage.com/legal/technical-organizational-security-practices/.

12.4 Twilio’s information security details are available via this link: https://www.twilio.com/docs/usage/security.

13 Payment gateway

13.1 Squad In Touch Digital Platform for Schools users are able to make payments for products and services offered by Us and third parties and available for purchasing through Squad In Touch online interfaces.

13.2 Squad In Touch uses Stripe Payment Gateway for enabling Users to make payments.

13.3 Stripe has been audited by a PCI-certified auditor and is certified to PCI Service Provider Level 1. This is the most stringent level of certification available in the payments industry.

13.4 Stripe’s information security details are available via this link: https://stripe.com/docs/security/stripe.