1. INTRODUCTION

1.1 Who We Are

First Touch FC Limited (“we,” “us,” “our,” or “First Touch FC”) operates the website at https://first-touch.co.uk and provides children’s football coaching and related services.

Our Details:

Legal Entity: First Touch FC Limited
Company Registration Number: 08901271
Email: [email protected]
Telephone: +44 203 290 0498
Registered Address: 1 Queen’s Gate Terrace, Flat 7, London, England, SW7 5PE

1.2 Data Controller

First Touch FC Limited is the data controller for all personal data collected through our website and services. This means we are responsible for deciding how your personal data is used and for ensuring it is protected.

1.3 Purpose of This Policy

This Privacy Policy explains:

What personal data we collect
How we collect it
Why we collect it
How we use it
Who we share it with
How long we keep it
What rights you have
How we protect it

1.4 Important: Children’s Data

First Touch FC provides services to children. We are particularly careful with children’s personal data. Parents and guardians must:

Read this policy carefully
Understand how we use their child’s data
Ensure they have capacity to consent on the child’s behalf
Inform us of any concerns

By booking with us, you consent to our data processing as described in this policy.

1.5 Changes to This Policy

We may update this Privacy Policy from time to time. We will post changes on our website with an updated “Effective Date.” Your continued use of our website and services after changes are posted constitutes acceptance of the updated policy.

2. LEGAL BASIS FOR DATA PROCESSING

2.1 Why We Can Process Your Data

Under the General Data Protection Regulation (GDPR) and Data Protection Act 2018, we can only process personal data if we have a lawful basis to do so. Our lawful bases are:

a) Consent
You have given us clear, affirmative consent (e.g., ticking a consent box during booking). You can withdraw consent at any time by contacting us.

b) Contract
Processing is necessary to fulfil our contract with you (e.g., processing your booking, taking payment, managing your participation).

c) Legal Obligation
We are required by law to process certain data (e.g., safeguarding concerns may require us to report to local authorities, child protection services, or police).

d) Vital Interests
Processing is necessary to protect someone’s life (e.g., medical emergency, safeguarding emergency).

e) Legitimate Interests
We have a legitimate interest in processing data that does not override your rights (e.g., fraud prevention, security, improving our services). We balance our interests against your privacy rights.

2.2 Children’s Data and Parental Consent

When a child participates in our Services, we collect and process the child’s personal data (name, date of birth, medical information, etc.). By booking a place for your child, you:

Confirm you are the parent or authorized legal guardian
Consent to our processing of the child’s personal data
Confirm the child has no objection (if old enough to express a view)
Warrant you have the authority to give this consent

3. WHAT PERSONAL DATA WE COLLECT

3.1 Data Collected During Booking

When you book a place with First Touch FC, we collect:

Parent/Guardian Information:

Full name
Email address
Telephone number
Postal address
Relationship to the child
Emergency contact name and telephone number

Child’s Information:

Full name
Date of birth
School name (if provided)
Gender (if provided)
Dietary requirements or restrictions
Allergies (food, environmental, contact-based)
Medication and prescribed drugs
Medical conditions (asthma, epilepsy, diabetes, heart conditions, etc.)
Disability or mobility concerns
Recent injuries or ongoing physical issues
Mental health conditions relevant to participation
Doctor’s name and contact details
Any other medical or health information relevant to safe participation
Photography/video consent status

Payment Information:

Payment card details (processed securely by our payment provider; we do not store full card details)
Payment transaction history

3.2 Data Collected Automatically

When you visit our website, we automatically collect:

Technical Data:

Your Internet Protocol (IP) address
Your browser type and version
Your operating system
Your device type (mobile, tablet, desktop)
Pages you visit on our site
Time and date you access our site
Time spent on each page
Links you click
Referral source (how you reached our site)
Geographic location (approximate, based on IP address)

Cookie Data:

Cookie identifiers
Session data
Login tokens (if you log in)

This data is collected via server logs, Google Analytics (if enabled), and cookies (see our Cookie Policy for details).

3.3 Data You Voluntarily Provide

Comments on website (if enabled)
Messages sent via contact forms
Enquiry or support request content
Testimonials or reviews
Social media interactions (if you mention us on social media)

3.4 Data from Third Parties

We may receive information about you from:

Your emergency contact (if they contact us about your child)
Healthcare providers (if you authorize us to contact them)
Emergency services (in a medical emergency)
Third-party payment providers
Third-party spam detection services

4. HOW WE USE YOUR PERSONAL DATA

4.1 Use of Parent/Guardian Data

We use your personal data to:

a) Fulfil Our Contract with You

Process your booking
Collect payment
Send booking confirmations and updates
Manage your participation in our Services
Send session reminders and schedule changes
Respond to enquiries and support requests
Provide customer service

b) Child Safeguarding

Store medical and health information for emergency use
Identify allergies and medications during sessions
Contact emergency services or your nominated doctor if needed
Implement child protection procedures
Comply with safeguarding obligations (reporting concerns to local authorities)

c) Legal Compliance

Comply with tax and accounting requirements
Comply with company law requirements
Comply with safeguarding and child protection law
Respond to legal requests (e.g., court orders, police requests)
Maintain records for audit purposes

d) Legitimate Interests

Fraud prevention and security
Website improvement and optimization
Service quality monitoring
Business analytics and reporting
Identifying trends in participation
Marketing and promotional communications (with consent)
Dispute resolution

e) With Consent

Sending marketing emails and promotional offers (if you opt in)
Creating marketing materials featuring your child’s image/video (with explicit photo consent)

4.2 Use of Child’s Data

We use your child’s personal data to:

a) Provide Services

Enroll them in sessions
Process payment for their participation
Manage attendance and sessions
Communicate with you about their participation

b) Child Safety

Identify medical conditions and allergies
Emergency contact in case of injury or illness
Safeguarding and child protection
Incident reporting and investigation

c) Service Improvement

Tracking participation patterns
Assessing coaching effectiveness
Identifying development areas
Personalizing coaching approach (where appropriate)

d) Legal Obligations

Safeguarding reporting
Incident investigation
Legal requests

e) With Consent

Using photos/videos for marketing
Creating promotional materials

4.3 Marketing and Communications

Opt-In Marketing:
We will only send you marketing emails and promotional communications if you have explicitly opted in. We will not send unsolicited marketing emails to parents unless they have consented.

How to Opt Out:
You can unsubscribe from marketing emails at any time by:

Clicking the “unsubscribe” link in any marketing email
Emailing us at [email protected] with your request
Replying “STOP” to any SMS (if we send SMS)

We will honour opt-out requests within 24 hours.

Service Communications:
We will send you transactional emails about your booking, payment, session updates, and urgent matters regardless of marketing consent. These are not promotional and you cannot opt out.

4.4 Photography and Video Consent

If You Consented (“Yes” to photos):
We will:

Take photographs and/or video recordings during sessions
Use images for marketing, promotional materials, website, and social media
Potentially keep images online for extended periods
Not obtain further consent each time images are used

If You Did NOT Consent (“No” to photos):
We will:

NOT take photographs or videos of your child specifically
Blur or remove your child’s image if they appear in a background group photo

Changing Consent:
You can change your photography consent at any time. Email [email protected] at least 7 days before a session. Photos already published will not be removed unless we have a legal obligation.

5. WHO WE SHARE YOUR DATA WITH

5.1 Our Staff and Coaches

Your personal data (especially medical information) is shared with First Touch FC coaches and staff who need it to:

Provide coaching services
Manage your child’s safety and wellbeing
Handle medical emergencies
Comply with safeguarding obligations

All staff are bound by confidentiality and data protection obligations.

5.2 Payment Providers

We share payment information (payment card details, billing address, transaction amount) with our payment provider to:

Process your payment securely
Prevent fraud
Maintain transaction records

Our payment providers may include:

Stripe
PayPal
Other PCI-compliant payment processors

These providers have their own privacy policies. We only share data necessary for payment processing.

5.3 Emergency Services

If your child requires emergency medical treatment, we will share medical information with:

Emergency services (ambulance/paramedics)
Hospital staff
Your child’s doctor

This is necessary to protect your child’s life and health.

5.4 Safeguarding and Legal Obligations

We will share personal data with:

Local authority children’s services
Police
Other law enforcement agencies
Child protection services

If we have concerns that a child is:

Being abused or neglected
At risk of harm
Involved in illegal activity

We are legally obliged to report these concerns. We cannot guarantee confidentiality in these circumstances.

5.5 Other Service Providers

We share data with third parties who help us operate our Services:

Website hosting providers
Email service providers
Analytics providers (Google Analytics)
Anti-spam/anti-fraud services
Insurance providers (for claims purposes)
Accountants and auditors

These providers are bound by data protection agreements and can only use data for the purposes we specify.

5.6 Legal Requests

We will share data if required by law, including:

Court orders
Government requests
Data protection authority requests
Police investigations
Tax authority requests

5.7 Business Transfers

If First Touch FC is sold, merged, or transferred:

Buyer will be notified of this privacy policy
Your data may transfer to the new owner
We will notify you of material changes to data handling

5.8 Data NOT Shared

We do NOT share data with:

Third-party advertisers (without explicit consent)
Data brokers or marketing lists
Social media platforms (unless embedded content)
Competitors or other businesses
Third parties for commercial purposes

Except as required by law or as described above.

6. DATA SECURITY AND PROTECTION

6.1 How We Protect Your Data

We implement security measures to protect your personal data, including:

Technical Measures:

Encrypted data transmission (SSL/TLS encryption on our website)
Secure payment processing (PCI-DSS compliant)
Secure data storage
Regular security updates and patches
Firewalls and intrusion detection

Administrative Measures:

Access controls (only authorized staff can access data)
Confidentiality agreements with staff
Data protection training for all staff
Regular security audits

Physical Measures:

Secure office locations
Limited access to servers and facilities
Controlled visitor access

6.2 Limitations on Security

No security measure is 100% secure. While we implement reasonable safeguards, we cannot guarantee absolute security. You use our website at your own risk. We are not liable for unauthorized access or data breaches beyond our control.

6.3 Password Security

If you have a login account:

Choose a strong, unique password
Do not share your password with others
Change your password regularly
Log out after accessing your account

First Touch FC is not responsible for unauthorized access due to weak passwords or shared login credentials.

6.4 Data Breach Notification

If we experience a data breach affecting your personal data, we will:

Notify affected individuals within 72 hours
Provide details of the breach and data affected
Explain steps we are taking in response
Provide contact information for questions

We are legally required to notify the Information Commissioner’s Office (ICO) if a breach is likely to cause high risk to your rights.

7. DATA RETENTION AND DELETION

7.1 How Long We Keep Your Data

Booking and Service Data:

Retained while you are an active customer
Retained for 6 years after your last participation (for legal, tax, and safeguarding purposes)
Longer if required by law

Payment Records:

Retained for 6 years (for tax and accounting purposes)
Required by law

Medical and Health Information:

Retained while your child participates
Retained for 6 years after participation ends (for safeguarding and insurance purposes)
Longer if specific concerns or incidents require longer retention

Incident Records:

Retained indefinitely (in case of future safeguarding concerns)
Or for the retention period required by law

Comments:

Retained indefinitely (you can request deletion)

Website Analytics:

Retained by Google for 26 months (or as configured)

Marketing Data:

Retained while you are subscribed to our mailing list
Deleted upon unsubscribe

7.2 Right to Deletion

You have the right to request deletion of your personal data, except:

Data we are legally required to keep (tax records, safeguarding records, legal obligations)
Data necessary to complete your booking or ongoing services
Data required for dispute resolution
Data required for insurance or liability purposes
Data that cannot be anonymized

To request deletion, email [email protected] with details of what data you wish to delete. We will respond within 30 days.

8. YOUR RIGHTS UNDER GDPR AND DATA PROTECTION LAW

8.1 Your Data Rights

You have the following rights:

Right of Access (Subject Access Request):
You can request a copy of all personal data we hold about you. We will provide it within 30 days in a commonly used digital format (usually CSV or PDF). This is free for first request; subsequent requests may have a small administrative fee.

Right to Rectification:
If your data is inaccurate or incomplete, you can request correction. We will update your data within 30 days.

Right to Erasure (“Right to Be Forgotten”):
You can request deletion of your data, except where we are required to keep it by law or for legitimate purposes.

Right to Restrict Processing:
You can request that we limit how we use your data while you challenge its accuracy or our legal basis.

Right to Data Portability:
You can request your data in a structured, portable format suitable for transfer to another provider.

Right to Object:
You can object to processing of your data where we rely on legitimate interests or direct marketing.

Right to Withdraw Consent:
If we process your data with your consent, you can withdraw consent at any time. This does not affect processing before withdrawal.

Automated Decision-Making:
You have rights regarding decisions based solely on automated processing that affects you legally or significantly.

8.2 How to Exercise Your Rights

To exercise any of these rights:

Email [email protected] with clear details of your request
Include your name, email, and booking reference (if applicable)
Specify exactly what right you are exercising
We will respond within 30 days

We will ask you to verify your identity before fulfilling requests.

8.3 What Happens If You Exercise Your Rights

We will honor your request or explain why we cannot
Some requests may delay or prevent us from providing Services
For example, requesting deletion of medical data may mean we cannot safely provide coaching

8.4 Data Protection Officer

We do not have a formal Data Protection Officer. For data protection inquiries, contact:

Email: [email protected]
Address: 1 Queen’s Gate Terrace, Flat 7, London, England, SW7 5PE

9. GDPR AND CHILDREN’S DATA – SPECIFIC PROVISIONS

9.1 Children’s Rights

Children have the same data rights as adults, but:

Parents/guardians typically make data decisions on their behalf
In some cases (older children), the child may be able to exercise rights directly
We will not process data based on consent from a child under 13 without parental consent

9.2 Parental Authority

By booking with us, parents/guardians confirm:

They have authority to consent to our data processing
They have disclosed necessary information about their child
They will ensure their child complies with appropriate data practices
They can access, update, or request deletion of their child’s data

9.3 Data Protection Safeguards for Children

We implement special safeguards:

Medical data is restricted access (only relevant staff can view)
Photography consent is opt-in only
Regular audits of how child data is handled
Staff training on handling sensitive child data
Incident reporting for any data concerns

10. INTERNATIONAL DATA TRANSFERS

10.1 Where Your Data Is Stored

Your personal data is primarily stored in the United Kingdom. It may be transferred to:

European Union member states
Other countries where we use service providers

10.2 Data Protection Standards

Transfers outside the UK are only to countries deemed to have adequate data protection or with appropriate safeguards (Standard Contractual Clauses).

10.3 U.S. Transfers (If Applicable)

If data is transferred to the U.S., it may be subject to U.S. government access requests. We will implement appropriate safeguards where possible.

11. THIRD-PARTY WEBSITES AND LINKS

11.1 External Links

Our website may link to external websites. We are not responsible for:

Privacy practices of external websites
Data collection by external websites
Content on external websites

11.2 Third-Party Privacy Policies

When you visit external websites, you are subject to their privacy policies, not ours. Review their privacy policies before providing data.

12. CONTACT US

12.1 Data Protection Inquiries

If you have any questions about this Privacy Policy or our data practices:

Email: [email protected]

Postal Address:
1 Queen’s Gate Terrace, Flat 7, London, England, SW7 5PE

Telephone: +44 203 290 0498

We will respond to inquiries within 14 days.

12.2 Complaints to the ICO

If you believe we have violated your data rights, you can complain to the Information Commissioner’s Office (ICO):

Information Commissioner’s Office

Website: https://ico.org.uk
Phone: 0303 123 1113
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

13. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy at any time. Changes will be posted on our website with an updated “Effective Date” at the top.

Material changes (e.g., new data collection, new data sharing) will be communicated to you via email.

Your continued use of our website after changes are posted constitutes acceptance.

14. GOVERNING LAW AND JURISDICTION

14.1 Governing Law

This Privacy Policy is governed by English law and the Data Protection Act 2018, General Data Protection Regulation (GDPR), and UK data protection principles.

14.2 Dispute Resolution

Disputes regarding this Privacy Policy are subject to:

English law and UK courts
Data protection authority oversight (Information Commissioner’s Office)

14.3 Contact for Privacy Concerns