Privacy Policy | Complete Rugby

Data Controller

Complete Rugby Ltd is the data controller for all personal data processed through the Platform. As data controller, we determine the purposes and means by which your personal data is processed and are responsible for ensuring that processing is lawful, fair, and transparent.

Controller Details

CompanyComplete Rugby Ltd

Company Number16910830

Registered Address13 Church Road, Brighton, England

SIC Code82990

Data enquiriesprivacy@completerugby.co.uk

General supportsupport@completerugby.co.uk

Safeguardingsafeguarding@completerugby.co.uk

Websitecompleterugby.co.uk

Where required by law, Complete Rugby will appoint a Data Protection Officer. Current contact details are maintained at completerugby.co.uk/privacy.

What We Collect

We collect personal data only to the extent necessary to provide and improve the Platform. The data we collect falls into three categories:

Data You Provide Directly

Identity and contact: Full name, email address, phone number, date of birth, home address
Profile content: Biography, profile photograph, coaching specialisations, location, pricing information, and service descriptions
Booking information: Session preferences, availability, booking history, client communications, and session notes
Payment and billing: Processed by Stripe Connect, we do not store full payment card numbers or CVV data. We retain payout account references and transaction identifiers only.
Coach verification data: Government-issued photo ID, qualification certificates, DBS certificate reference numbers, professional body membership numbers and expiry dates, and professional indemnity insurance details
Account credentials: Email address and encrypted password (passwords are never stored in plain text)
Communications: Messages sent through the Platform, support requests, dispute correspondence, reviews, and Community posts

Data Collected Automatically

Usage data: Pages visited, features used, search queries, session duration, clicks, and in-app navigation patterns
Device and technical data: Device type, operating system, browser type and version, screen resolution, and language settings
Location data: Approximate geographic location derived from your IP address (not GPS-precise location)
Log data: IP address, access timestamps, HTTP request data, and error reports
Cookie and tracking data: As described in Section 9 below

Data Received from Third Parties

Stripe: Payment transaction metadata, payout status, and fraud risk signals
DBS checking services: Check status confirmation only, we do not receive or retain full DBS certificate content, only the certificate reference number and whether a check has passed or failed
Identity verification providers: Verification outcomes for Coach onboarding
Social login providers: Basic profile data (name, email) if you choose to register via a third-party social login, subject to your settings with that provider

How We Use It

Providing Marketplace Services

Creating, managing, and maintaining your account and profile
Matching Clients with suitable Coaches based on search queries, location, and availability
Facilitating communication between Coaches and Clients through the in-platform messaging system
Displaying Coach profiles, Listings, and reviews to prospective Clients
Managing subscription-based Communities hosted by Coaches

Processing Payments via Stripe

Processing Client payments at the point of booking through Stripe Connect
Holding funds securely until Session completion and the expiry of any dispute or cancellation period
Calculating and deducting Platform commission before disbursing Coach payouts
Issuing refunds in accordance with our Cancellation Policy
Generating transaction records and earnings summaries for Coach and Client dashboards

DBS Verification and Safeguarding

Verifying that Coaches working with under-18s or vulnerable adults hold a valid Enhanced DBS certificate
Verifying Standard DBS certificates for adult-only coaching services
Maintaining records of DBS check status and certificate reference numbers for regulatory compliance
Monitoring DBS certificate expiry and prompting renewals to maintain compliance
Cooperating with statutory safeguarding authorities if a concern is raised

Booking Confirmations and Platform Communications

Sending booking confirmations, reminders, receipts, and cancellation notices by email
Notifying Coaches of new booking requests, cancellations, and client messages
Delivering platform updates, policy changes, and service notifications
Responding to support requests, complaints, and dispute correspondence

Platform Safety and Fraud Prevention

Detecting, investigating, and preventing fraudulent transactions, fake accounts, and platform abuse
Monitoring for fake reviews or circumvention of Platform Fees in breach of our Terms of Service
Verifying the accuracy of Coach qualification claims and profile information
Protecting the security and integrity of Platform systems and user data
Reporting suspected criminal activity or safeguarding concerns to appropriate authorities

Legal Basis

We process personal data only where we have a lawful basis to do so under UK GDPR Article 6. The table below sets out our principal processing activities and the legal basis for each.

Processing Activity	Lawful Basis	UK GDPR Article
Creating and managing your account	Contract performance	Art. 6(1)(b)
Processing bookings and payments	Contract performance	Art. 6(1)(b)
Sending booking confirmations and receipts	Contract performance	Art. 6(1)(b)
Verifying DBS status and qualifications	Legal obligation	Art. 6(1)(c)
Maintaining transaction records for HMRC	Legal obligation	Art. 6(1)(c)
Responding to law enforcement requests	Legal obligation	Art. 6(1)(c)
Fraud prevention and platform security	Legitimate interests	Art. 6(1)(f)
Improving platform performance and features	Legitimate interests	Art. 6(1)(f)
Sending marketing and newsletters	Consent	Art. 6(1)(a)
Non-essential analytics cookies	Consent	Art. 6(1)(a)
Processing DBS and safeguarding records	Substantial public interest	Art. 9(2)(g) + DPA 2018 Sch.1 Pt.2

Special Category and Criminal Records Data

DBS certificate data constitutes criminal records data under UK GDPR and the Data Protection Act 2018. We process this data under:

UK GDPR Article 9(2)(b), processing necessary for obligations in the field of employment and social protection law
UK GDPR Article 9(2)(g), processing necessary for reasons of substantial public interest: specifically the safeguarding of children and vulnerable adults
Read with Schedule 1, Part 2 of the Data Protection Act 2018, which expressly permits processing of this nature for safeguarding purposes

Access to DBS data is strictly limited to authorised Complete Rugby personnel on a need-to-know basis and is subject to enhanced security controls.

Withdrawing Consent

Where we rely on your consent as a legal basis (for example, for marketing emails or non-essential cookies), you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of any processing carried out before withdrawal. You can withdraw consent by updating your notification preferences in your account settings or by contacting us at privacy@completerugby.co.uk.

Data Sharing

We do not sell your personal data to any third party under any circumstances. We share data only as described below, and only to the minimum extent necessary.

Stripe, Payment Processing

We share payment and identity data with Stripe, Inc. to process Client payments and Coach payouts via Stripe Connect. Stripe acts as a joint data controller for payment processing and an independent data processor for identity verification. Stripe processes data in accordance with their own Privacy Policy and applicable financial regulations. Stripe may process data in the United States, see Section 8 for our approach to international transfers.

Supabase, Secure Data Storage

Platform data, including user profiles, booking records, messages, and community content, is stored securely using Supabase, our cloud database and backend infrastructure provider. Supabase processes data strictly on our behalf under a data processing agreement. Data is stored within the European Union (EU). See Section 8 for further details.

DBS Checking Services

We share Coach identity data with approved DBS umbrella bodies to initiate and process DBS checks. These providers are registered with the Disclosure and Barring Service and process data under strict legal and regulatory obligations. We receive only the check status and certificate reference, not the full certificate content.

Between Coaches and Clients

Coach profile information, including name, location, qualifications, biography, availability, and reviews, is visible to the public and to all registered Users. Client names and booking details are shared with the relevant Coach solely for the purpose of delivering the booked service. Limited profile information may be visible to other members within Community spaces.

Law Enforcement and Regulatory Authorities

We may disclose personal data to law enforcement agencies, safeguarding bodies, the Information Commissioner’s Office, HMRC, or the courts where required by applicable law, court order, or legal process, or where disclosure is necessary to protect the rights, safety, or property of Complete Rugby, our Users, or the public.

Business Transfers

In the event of a merger, acquisition, or sale of assets, personal data held by Complete Rugby may be transferred to the relevant acquirer. We will notify affected Users in advance and ensure appropriate contractual protections are in place for your personal data.

Other Service Providers

We engage carefully selected third-party service providers to assist with email delivery, analytics, security monitoring, and customer support. All providers process data solely on our behalf under binding data processing agreements and may not use your data for their own purposes.

Retention

We retain personal data only for as long as is necessary for the purposes for which it was collected and in compliance with our legal obligations. Where data is no longer required, it is securely deleted or permanently anonymised.

Data Category	Retention Period	Reason
Account and profile data	7 years after account closure	Tax and legal compliance
Booking and transaction records	7 years from transaction date	HMRC statutory requirement
DBS check reference data	Duration of registration + 3 years	Safeguarding obligations
Coaching session records	7 years from session date	Contractual and legal claims
Marketing preferences	Until consent withdrawn or account closed	Consent-based processing
Support and dispute records	3 years from final interaction	Legal defence and ADR
Safeguarding records	Per applicable statutory guidance	Statutory requirement
Cookie and analytics data	13 months (analytics) / session	ICO guidance

Transaction and booking records are retained for 7 years to comply with HMRC requirements under the Taxes Management Act 1970. This applies regardless of account status.

Where you exercise your right to erasure (Section 7), we will delete data that we are not required by law to retain, and will anonymise any data that must be kept for legal or regulatory purposes so that it can no longer be attributed to you.

Your Rights under UK GDPR

Under the UK General Data Protection Regulation, you have the following rights regarding your personal data. We will respond to all requests free of charge within one calendar month of receipt, unless a request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or decline to respond.

Your Right	What It Means	Response Time
Right of Access	Obtain a copy of the personal data we hold about you (Subject Access Request)	1 month
Right to Rectification	Require correction of inaccurate or incomplete personal data without undue delay	1 month
Right to Erasure	Request deletion of your data where it is no longer necessary, consent is withdrawn, or processing is unlawful ('right to be forgotten')	1 month
Right to Restriction	Request that we limit how we use your data in certain circumstances, such as while accuracy is disputed	1 month
Right to Portability	Receive your personal data in a structured, commonly used, machine-readable format to transfer to another controller	1 month
Right to Object	Object to processing based on legitimate interests or to direct marketing at any time, with immediate effect for marketing	Immediate for marketing
Automated Decision-Making	Not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects	1 month

How to Exercise Your Rights

To exercise any of the above rights, please contact us at privacy@completerugby.co.uk with your full name, account email address, and details of your request. We may need to verify your identity before processing your request to protect against fraudulent access.

Right to Complain to the ICO

If you are dissatisfied with how we have handled your personal data or responded to your request, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection:

Website

ico.org.uk

Phone

0303 123 1113

Post

ICO, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

International Transfers

Complete Rugby processes personal data primarily within the United Kingdom and the European Economic Area. Where we transfer data outside the UK, we ensure appropriate safeguards are in place in accordance with Chapter V of UK GDPR.

Supabase, EU Server Infrastructure

User data stored on our Supabase database infrastructure is hosted within the European Union. The EU is covered by a UK adequacy decision, meaning that transfers to EU-based servers are treated as equivalent to transfers within the UK and require no additional safeguard mechanism.

Stripe, US Processing with Standard Contractual Clauses

Stripe, Inc. is headquartered in the United States. Payment data processed by Stripe may be transferred to and stored in the US. Stripe maintains compliance with applicable international transfer mechanisms, including:

UK International Data Transfer Agreements (IDTAs) or equivalent UK addenda to EU Standard Contractual Clauses (SCCs)
Stripe's certification under applicable data transfer frameworks
Binding contractual obligations on Stripe as a data processor under our data processing agreement

Full details of Stripe’s approach to international transfers are set out in Stripe’s Privacy Policy.

Other Third-Party Transfers

Where any other service provider processes data outside the UK or EEA, we ensure that appropriate safeguards are in place, whether through an adequacy decision, International Data Transfer Agreement (IDTA), or Standard Contractual Clauses, before any transfer takes place. You may request details of the specific transfer mechanisms we rely on by contacting us at privacy@completerugby.co.uk.

Cookies

The Platform uses cookies and similar tracking technologies. We categorise cookies into three types based on their purpose and the consent requirements that apply.

Essential Cookies, No Consent Required

Essential cookies are strictly necessary for the Platform to function. They cannot be disabled without breaking core functionality. We place these cookies automatically on the basis of our legitimate interest in providing a functional service.

Authentication cookies: Maintain your login session so you remain signed in as you navigate the Platform. Placed by Supabase Auth on sign-in and cleared on sign-out.
Security cookies: CSRF protection tokens to prevent cross-site request forgery attacks
Session state cookies: Preserve form state, navigation position, and UI preferences within a session
Cookie preference cookie: Records your cookie consent choices to avoid re-prompting on every visit

Analytics Cookies, Consent Required

Analytics cookies help us understand how Users interact with the Platform so we can improve it. These cookies are placed only with your prior, freely given, and informed consent, which you may withdraw at any time.

Page view and navigation tracking to identify popular content and areas requiring improvement
Session duration and drop-off analysis to improve user journeys
Feature usage tracking to prioritise development efforts
Error and performance monitoring to identify and resolve technical issues

Preference Cookies, Consent Required

Preference cookies remember your settings and personalisation choices to provide a more tailored experience across visits. These are placed only with your consent.

Language and region preferences
Dashboard layout and display settings
Saved search filters and coaching preferences

Managing Your Cookie Preferences

You can manage your cookie preferences at any time through our Cookie Settings tool. You can also control cookies through your browser settings, though disabling essential cookies will impair your ability to use the Platform. Withdrawing consent for non-essential cookies does not affect the lawfulness of any processing that occurred prior to withdrawal.

Analytics and preference cookies are retained for a maximum of 13 months in accordance with ICO guidance, after which fresh consent is required. Essential session cookies expire when you close your browser or sign out.

Children

The Platform is not intended for direct use by individuals under the age of 18. We do not knowingly collect personal data directly from children. If you believe we have inadvertently received data from a child without appropriate parental consent, please contact us at privacy@completerugby.co.uk and we will delete it promptly.

Account Creation

Users must be at least 18 years of age to create an account on the Platform. We do not knowingly permit under-18s to register directly. Where we become aware that an account has been created by someone under 18, we will suspend and investigate the account promptly.

Parental Consent for Youth Coaching

Where a Client wishes to book coaching for a child under 18, the parent or legal guardian must:

Create and hold the account themselves, the minor may not hold an account in their own name
Accept these Terms of Service and this Privacy Policy on the minor's behalf
Provide accurate information about the minor's age and any relevant health or medical information to the Coach prior to the first session
Ensure appropriate supervision is arranged for all in-person sessions involving the minor as required by applicable safeguarding guidance

Data Protection for Minors

Special safeguards apply to all data relating to minors on the Platform:

Booking records involving under-18s are subject to enhanced access controls and are accessible only to the parent or guardian account holder and authorised Complete Rugby staff
We do not use data relating to minors for marketing, analytics profiling, or any purpose other than service delivery and legal compliance
DBS data and safeguarding records relating to minors are held with strictly limited access and are subject to our most stringent security measures
Parents and guardians may exercise all data subject rights on behalf of the minor by contacting privacy@completerugby.co.uk

Changes to Policy

We may update this Privacy Policy from time to time to reflect changes in our data processing practices, technology, legal requirements, or regulatory guidance. We distinguish between material and non-material changes.

Material Changes

A material change is any change that significantly affects how we collect, use, or share your personal data, for example, adding a new category of data collection, a new processing purpose, or a new data sharing partner. For material changes, we will:

Notify you by email to your registered address at least 30 days before the change takes effect
Display a prominent notice on the Platform for the same 30-day period
Where required by law, seek your fresh consent before processing data under the new terms
Provide a clear summary of what has changed and why

Your continued use of the Platform after the effective date of any updated Privacy Policy constitutes your acceptance of that update. If you do not accept a material change, you may close your account without penalty by contacting us at support@completerugby.co.uk.

Non-Material Changes

Minor, non-material changes (such as correcting typographical errors, adding clarificatory language, or updating contact details) may be made without advance notice. The “Last Updated” date at the bottom of this page will always reflect the date of the most recent revision.

The current version of this Privacy Policy is always available at completerugby.co.uk/legal/privacy.

Contact Us

If you have any questions, concerns, or requests relating to this Privacy Policy or to the processing of your personal data, please contact us using the details below. We are committed to responding promptly and transparently.

Privacy Enquiries

privacy@completerugby.co.uk

Data rights, DPA requests, GDPR queries

General Support

support@completerugby.co.uk

Account, bookings, platform help

Safeguarding

safeguarding@completerugby.co.uk

Child protection and welfare concerns

Registered Address

Complete Rugby Ltd
13 Church Road
Brighton
England

If you remain dissatisfied following our response, you may escalate your complaint to the Information Commissioner’s Office at ico.org.uk or by calling 0303 123 1113.