Reviewed: 4th of September, 2023
Next review date: September 2024
Terms and Definitions
“Agreement”, “Service Agreement” refers to a document
signed between Squad In Touch Ltd and an organisation about terms and conditions of using
Squad In Touch Digital Platform for Schools within the organisation.
“Data Protection Legislation” refers to : (i) the UK GDPR,
and any applicable national implementing Laws as amended from time to time; (ii) the
DPA 2018 to the extent that it relates to processing of personal data and privacy; (iiii)
all applicable Law about the processing of personal data and privacy.
“Data Subject Access Request” refers to a request made by, or on behalf of, a Data Subject
in accordance with rights granted pursuant to the Data Protection Legislation to access their
Personal Data.
“DPA” refers to the Data Protection Act 2018.
“GDPR” refers to the UK GDPR (General Data Protection Regulation).
“Personal Data”, “Data Controller”, “Data Processor”, “Data Processing”, “Data Subject”,
“Personal Data Breach”, “Data Protection Officer” shall be understood in their
meanings as assigned by the UK GDPR and the DPA.
“Personal Data operated by Registered Organisations” refers to Personal Data of individuals
who allow Registered Organisations to be a Data Controller on their Personal Data.
“Public Area” refers to the subset of Squad In Touch Digital Platform for Schools applications
that can be accessed by anyone without registration or signing up.
“Public User(s)” refers to any or all individuals that use the Public Area of Squad In Touch
Digital Platform for Schools without registration or signing up.
“Registered Organisation(s)” refers to any or all of the organisations, which use Squad In
Touch Digital Platform for Schools in accordance with the Service Agreement.
“Registered Organisation Authorised Staff” refers to any or all of the Registered
Organisation officials who are Registered Users and authorised by the Registered
Organisation to perform particular operations with the Registered Organisation’s data as well
as Personal Data of Registered Users that allow the Registered Organisation to be a Data
Controller on their Personal Data.
“Registered User(s)” refers to any or all individuals that sign up to the Squad In Touch Digital
Platform for Schools and agree with Squad In Touch’s Privacy Policy, Terms of Use and Accessible Use Policy.
“Restricted Area” refers to the area of Squad In Touch Digital Platform for Schools that can be
accessed by Registered Users only.
“Squad In Touch Digital Platform for Schools” refers to the software developed by Squad
In Touch Ltd as described on the official Company’s website and the services of its operations
provided by Squad In Touch Ltd including, but not restricted to: hosting, maintenance,
customer support, etc.
“Squad In Touch Ltd”, “Squad In Touch”, “Company”, “We”, “Us”, “Our” refers to Squad In Touch Ltd,
a limited company registered in England and Wales (Company number 09657481), with the registered office
at Pacific House, 382 Kenton Road, Harrow, Middlesex, HA3 8DP.
1 Introduction
1.1 Squad In Touch acts in the capacities of Processor and Controller of Personal Data.
1.2 The Company is a Data Processor in respect of the personal information entrusted to us
by Registered Organisations within the Squad In Touch Digital Platform for Schools.
1.3 The Company acts as a Controller of Personal Data of Registered Users who sign up for
their account with Squad In Touch Digital Platform for Schools and are offered a direct
access to its functionality.
1.4 The Company is also a Data Controller in other cases, when we make decisions on how
and why we will use Personal data. For example, as an employer, we hold records about
our staff. Also, as a commercial organisation, we directly market our products to
prospective customers – and some data used in these campaigns will be personal data.
1.5 Squad In Touch is committed to fulfilling its obligations under the UK General Data
Protection Regulations (GDPR) and any subsequent data protection legislation. We have
produced this policy to give such assurance to our customers and staff.
1.6 This Data Protection Policy is subject to ongoing review – at least annually - in light of
changes in the law, guidance and working practice.
2 General statements of duties and scope
2.1 For the purposes of the Data Protection Legislation,
Squad In Touch Ltd is and shall remain the Data Processor as a service provider to Registered
Organisations. Squad In Touch Ltd does not act as the Data Controller of the Registered
Organisations data and Registered Organisations shall retain sole ownership of all rights,
title and interest in and to all of their data and shall have sole responsibility for the
legality, reliability, integrity, accuracy and quality of their data.
2.2 Registered Organisations are and shall remain the
Data Controller of the Personal Data of third parties inputted and processed on Squad In Touch
Digital Platform for Schools by their Organisation’s Authorised Staff. The Company is required
to process the relevant personal data regarding Personal Data operated by Registered Organisations
as part of its operation and shall take all reasonable steps to do so in accordance with this
Data Protection Policy and the Service Agreement.
2.3 The Company is committed to the protection of all
personal data for which it holds responsibility as the Data Processor and the handling of such
data in line with this Policy and the Principles of the UK GDPR and the DPA. The Freedom of
Information Act 2000 and the Protection of Freedoms Act 2012 are also relevant to parts of
this policy.
2.4 Individuals whose Personal Data is operated by
Registered Organisations on Squad In Touch Digital Platform for Schools provide their consent
for processing their Personal Data with or without using Squad In Touch Digital Platform for
Schools. This is the sole responsibility of Registered Organisations to get individuals’ consent
in accordance with the UK GDPR and the DPA prior to operate those individuals Personal Data within
Squad In Touch Digital Platform for Schools.
2.5 Squad In Touch Digital Platform for Schools allows
the Registered Organisations to grant access to the Personal Data operated by Registered Organisations
on the Squad In Touch Digital Platform for Schools to Registered Users or to any Public Users.
2.6This is the sole responsibility of the Registered Organisations
to get individuals’ consent in accordance with UK GDPR and the DPA prior to share those individuals’ data
with Registered Users or Public Users.
2.7 The Company undertakes reasonable efforts on verifying
Registered Users identity whilst they are signing up with Squad In Touch Digital Platform for Schools
using one-off codes confirmation for email and mobile number.
2.8 This is the sole decision of the Registered Organisations
with regards to whether to grant access to the Personal Data operated by Registered Organisations to
Registered Users based on Registered Users identity verification results provided by Squad In Touch
Digital Platform for Schools.
2.9 Squad In Touch Digital Platform for Schools allows Registered
Organisations to revoke any access toany data they granted at any time.
2.10 For the purposes of the Data Protection Legislation, Squad In
Touch Ltd is and shall remain the Data Controller to Registered Users. Squad In Touch Ltd acts as the Data
Controller of the Registered Users’ Personal Data they input on Squad In Touch Digital Platform for Schools.
2.11 As the Data Controller of the Registered Users’ Personal Data,
Squad In Touch Ltd describes how it collects, uses, processes, and discloses Registered Users’ Personal Data
in conjunction with their access to and the use of Squad In Touch Digital Platform for Schools in
Squad In Touch Privacy Policy.
2.12 The lawful basis for processing Personal Data of individuals
signing up for an account with Squad In Touch Digital Platform for Schools is the consent of such individuals.
In order to register an account with Squad In Touch Digital Platform for Schools each Registered User is
required to read the Squad In Touch Squad In Touch
Privacy Policy and to give their consent for their data to be processed. Individuals cannot access the
Restricted Area without having an account with Squad In Touch Ltd.
2.13 The Company has appointed the Data Protection
Officer (DPO) who will endeavour to ensure that all personal data is processed in compliance with this
Data Protection Policy, UK GDPR and the DPA.
2.14 The Company is also committed to ensuring that its staff are
aware of data protection policies, legal requirements and adequate training is provided to them.
2.15 The requirements of this Data Protection Policy are mandatory for all
staff employed by the Company and any third party contracted to provide services within the Company.
2.16 The Company shall monitor and implement changes to Data Protection
Legislation in order to remain compliant with all requirements.
2.17 Squad In Touch Ltd is registered under the Data Protection Act with the
Information Commissioners Office (ICO) and its registration number is ZA190536. Full details of our
processing activities can be found on the Information Commissioners Office (ICO) website via
the link.
2.18 Changes to the type of data processing activities being undertaken
shall be notified to the ICO and details amended in the register.
3 Notification
3.1 The Company, being a Data Processor, shall notify Registered
Organisations (The Data Controllers) immediately if it becomes aware of a Personal Data Breach.
3.2 The Company, being a Data Controller, shall notify Registered
Users immediately if it becomes aware of a Personal Data Breach.
3.3 There is an obligation of the Company as a Data Controller to
report personal data breaches to the supervisory authority and where the breach is likely to adversely affect
the personal data or privacy of the data subject.
4 Personal and Sensitive Data
4.1 For the purposes of this Data Protection Policy the definitions
of personal and sensitive data shall be as those assigned by the UK GDPR and the DPA.
4.2 The Company encourages Registered Organisations and Registered Users
to use enhanced data security measures such as:
-
Data minimisation – only data sufficient for identifying the Data Subject by Registered Users or Public Users
needs to be provided;
-
Pseudonymisation – such as using the first letter of the surname rather than the full surname and/or using
preferred names rather than full forenames.
4.3 Squad In Touch is not intended for handling sensitive data, including
but not restricted to medical information. The “Pupils Medical Information” data fields on Squad In Touch
Digital Platform for Schools should not be used for storing full medical details of pupils but rather for enabling
Organisation Authorised Staff to have emergency medical data when out of the office to be able to provide relevant
first aid. The Company recommends coding such information in a way only Registered Users from among Registered
Organisation Authorised Staff can interpret.
5 Children data
5.1 When children’s Personal Data is processed by Registered Organisations (with or
without using Squad In Touch Digital Platform for Schools) a prior parental/guardian permission must be obtained.
When children between the ages of 13 and 17 are in question based on Registered Organisation’s Policies they can
choose to obtain children’s consent rather than parental/guardian consent. This is the sole responsibility of Registered
Organisations to ensure they have a parental/guardian and/or children’s consent prior to processing children data on
the Squad In Touch Digital Platform for Schools.
5.2 When signing up for a Squad In Touch account each user is required to confirm they
are of the age of 13 or over. Children under the age of 13 are not allowed to get access to the Squad In Touch Digital
Platform for Schools without the consent of their parents/guardians. We make reasonable efforts to verify that the person
giving consent does, in fact, hold parental responsibility for the child.
5.3 The Company does not knowingly collect personal information from any person who
is under the age of 13 without a prior parental/guardian consent. If there is a reason to believe that We have collected
Personal Data from a person under the age of 13 without a prior parental/guardian consent, we will delete this information
as quickly as possible.
5.4 The Company Privacy Notices have been written to be clear for children so that
they are able to understand what will happen to their Personal Data and what rights they have.
5.5 Children have the same rights as adults over their personal data as referred to
within Section Six “Individual rights” of this Data Protection Policy. An individual’s right to erasure is particularly
relevant if they gave their consent to processing when they were a child.
6 Individual rights
6.1 The Company commits to process the data in accordance with the data subject's rights
according to the UK GDPR requirements:
- The right to be informed;
- The right of access;
- The right to rectification;
- The right to erase;
- The right to restrict processing;
- The right to data portability;
- The right to object;
- Rights in relation to automated decision making and profiling.
6.2 The Company shall notify Registered Users and Registered Organisations immediately
once we have received any Individual’s request in relation with Personal Data operated by Registered Users or Registered
Organisations and the Individual’s rights affected by the Registered User or Registered Organisations operations with
individuals Personal Data.
7 Fair Processing and Privacy Notice
7.1 We shall be transparent about the intended processing of data and communicate these
intentions via notification to Registered Users prior to the processing of their own Personal Data or Personal Data operated
by Registered Users.
7.2 Depending on the age of children registering accounts with Squad In Touch Digital
Platform for Schools they may be allowed to give their own consent for their data to be processed or relevant requests
can be sent to their parents provided those parents are Registered Users.
7.3 As our Privacy Policy
may address children, it is written in clear and plain language as required by the UK GDPR.
7.4 Any proposed change to the processing of Registered Users Personal Data or Personal
Data operated by Registered Organisations shall first be notified to Registered Users and implemented after getting their
permission.
7.5 The principles of the Data Protection legislation shall be applied to all data processed:
- Ensure that data is fairly and lawfully processed;
- Process data only for limited purposes;
- Ensure that all data processed is adequate, relevant and not excessive;
- Ensure that data processed is accurate;
- Not keep data longer than is necessary;
- Ensure that data is secure;
- Ensure that data is not transferred to other countries without adequate protection.
8 Data Subject Access Requests
8.1 The Company, being a Data Processor, shall notify Registered Organisations
immediately if it receives requests from individuals with regards to their rights related to processing of their
personal data within Squad In Touch Digital Platform for Schools, i.e.:
- A Data Subject Access Request (or purported Data Subject Access Request);
- A request to rectify, block or erase any Personal Data;
- Any other request, complaint or communication relating to individuals’ rights under the Data Protection Legislation;
8.2 The Company, being a Data Processor, shall also notify Registered Organisations (The
Data Controller(s)) immediately if it receives:
-
Any communication from the Information Commissioner or any other regulatory authority in connection with Personal Data processed
within Squad In Touch Digital Platform for Schools;
-
A request from any third party for disclosure of Personal Data where compliance with such request is required or purported to
be required by Law;
8.3 The Company’s obligation to notify under clause 8.1 and 8.2 of this Data Protection
Policy shall include the provision of further information to the Registered Organisations in phases, as details become available.
8.4 Taking into account the nature of the processing, the Company shall provide the Registered
Organisations with full assistance in relation to their obligations under the Data Protection Legislation and any complaint,
communication or request made under clause 8.1 of this Policy and insofar as possible within the timescales reasonably
required by the Registered Organisations including by promptly providing:
-
The Registered Organisations with full details and copies of the complaint, communication or request;
- Such assistance as is reasonably requested by the Registered Organisations to enable the Registered Organisations to comply
with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation;
-
The Registered Organisations, at their request, with any Personal Data it holds in relation to a Data Subject;
- Assistance as requested by the Registered Organisations following any Data Breach;
-
Assistance as requested by the Registered Organisations with respect to any request from the Information Commissioner’s
Office (ICO), or any consultation by the Registered Organisations with the Information Commissioner's Office.
8.5 To help the Registered Organisations to comply with their obligations with relation to the
Data Subjects access requests and Data Portability requirements Squad In Touch Digital Platform for Schools contains an option to
produce a comprehensive report with regards to the personal data of third parties processed within Squad In Touch Digital Platform
for Schools.
8.6 The Company, being a Data Controller with relation to the Personal Data of Registered
Users, shall comply with a Data Subject Access Request within the relevant timescales set out in the Data Protection Legislation.
9 Photographs and Video
9.1 Squad In Touch Digital Platform for Schools provides tools for adding media files linked
to the other system objects (fixtures, tournaments, messages, etc.) available to Registered Users only and with limitations as
specified in clauses 9.2 - 9.5 of this Policy, the Service Agreement and the Terms of Use
of Squad In Touch Digital Platform for Schools (if applicable).
9.2 Registered Users can add media files on Squad In Touch Digital Platform for Schools for
their own use without access permissions to the other Registered Users or Public Users.
9.3 Registered Organisation Authorised Staff can grant permissions to view media files
added by them or the other Registered Users to the other Registered Users or Public Users.
9.4 Registered Users can grant permission to view media files added by them to the other
Registered Users.
9.5 This is the sole responsibility of Registered Organisation and Registered Users to get
individuals’ consents in accordance with the UK GDPR and the DPA prior to sharing photos and videos which contain those individuals’
with other Registered users or Public Users.
10 Information security
10.1 Squad In Touch Digital Platform for Schools is externally hosted and delivered using
secure servers operating Secure Sockets Layer (SSL) encryption to provide high level protection of the privacy and integrity
of the data passed between Squad In Touch Digital Platform for Schools and users.
10.2 To provide higher individual users data protection Squad In Touch Digital Platform for
Schools uses an increased strength-level for user passwords. We check user contact details (email, mobile phone number) when the
new user is enrolled. The user passwords stored in the database is irreversibly encrypted, thus we completely prevent harm in
case of passwords stealing.
10.3 Squad In Touch Digital Platform for Schools supports high secure multi-level role model
of access to Registered Organisations’ data. Registered Organisations administrator users are able to revoke any permission to their
Organisation’s data at any time for any reason.
10.4 Members of Squad In Touch support team have no access to Registered Organisations data.
If we need an access for the Registered Organisation’s data for a support team member for particular data-related issues, our
support team member asks Registered Organisation’s admin for temporary permission that can be revoked by school admin at any time.
10.5 Our technical maintenance staff have very strict requirements for access into the
database and are regularly instructed to maintain and support measures for preventing unauthorized or unlawful access or use of
school’s data. We do ensure that all technical maintenance team members having access to whole database are fully aware of their
responsibilities with regards to the Registered Organisations’ Data protection including requirements of confidentiality and
non-disclosure of any personal information.
10.6 Squad In Touch Ltd’s servers use strong authentication mechanisms based SHA1,
SHA256 and RSA cryptography algorithms.
11 Hosting and storage of Personal Data
11.1 Squad In Touch Digital Platform for Schools is delivered to Registered Organisations
from the cloud servers located in Ireland. We host our solution at the Amazon Data Centre (Amazon Web Service, AWS) which is
fully compliant with security standards and requirements according to:
11.2 Details of Squad In Touch information security architecture on AWS are stated on Squad
In Touch AWS Cloud Information Security Architecture and are available on request.
12 Text messages
12.1 Squad In Touch Digital Platform for Schools users are able to receive text messages
from Squad In Touch. Each Registered User is required to confirm the code received via text message when signing up for an
account with Squad In Touch Digital Platform for Schools. The code is sent tothe mobile number specified by the Registered user.
12.2 Squad In Touch uses Vonage SMS service and Twilio SMS service who send the content of
each message to the number specified.
12.3 Our SMS providers then provide a Message ID for each of the messages sent which is
later used to track delivery status of each SMS message.
12.4 Vonage’s information security details are available via this link:
https://www.vonage.com/legal/technical-organizational-security-practices/.
12.4 Twilio’s information security details are available via this link:
https://www.twilio.com/docs/usage/security.
13 Payment gateway
13.1 Squad In Touch Digital Platform for Schools users are able to make payments for
products and services offered by Us and third parties and available for purchasing through Squad In Touch online interfaces.
13.2 Squad In Touch uses Stripe Payment Gateway for enabling Users to make payments.
13.3 Stripe has been audited by a PCI-certified auditor and is certified to PCI Service Provider
Level 1. This is the most stringent level of certification available in the payments industry.
13.4 Stripe’s information security details are available via this link: https://stripe.com/docs/security/stripe.