Privacy Policy
Last updated: 23 March 2026
1. Who We Are
Vardeck ("we", "us", "our") provides compliance management software for UK leisure facilities. When your organisation uses Vardeck, your organisation is the data controller and Vardeck acts as a data processor under UK GDPR and the Data Protection Act 2018.
For enquiries about this policy, contact: privacy@vardeck.app
2. What Data We Collect
Staff Users (via your organisation)
- Name, email address, job title, role
- Phone number (encrypted at rest)
- Emergency contact details (encrypted at rest)
- DBS check reference and dates (encrypted at rest)
- Medical notes where provided (encrypted at rest)
- Kiosk PIN (hashed, not stored in plaintext)
Parents / Guardians (via the Parent Portal)
- Name, email address, phone number (encrypted)
- Address (encrypted at rest)
- Emergency contact details (encrypted at rest)
- Payment information (processed by Stripe, not stored by Vardeck)
Pupils (Children)
- Name, date of birth
- Medical notes and swimming aids (encrypted at rest)
- Photo and media consent flags
- Lesson attendance, skill progress, certificates
Technical Data
- IP address and browser user agent (for session security and consent records)
- Session data (encrypted in database)
- Activity audit logs (what actions were taken, by whom, when)
3. Lawful Basis for Processing
| Processing Activity | Lawful Basis |
|---|---|
| Staff account management | Contract (employment) |
| Pupil lesson tracking | Contract (service provision) |
| Medical notes | Vital interest (child safety) |
| DBS screening records | Legal obligation |
| Safeguarding concerns | Legal obligation (UK safeguarding law) |
| Photos / media of children | Consent (parental) |
| Marketing communications | Consent |
| Audit trail / activity logging | Legitimate interest (security) |
| Pool water testing data | Legal obligation (PWTAG / HSG274) |
4. How We Protect Your Data
- Encryption at rest: All personal data fields are encrypted using AES-256-CBC
- Encryption in transit: All connections use TLS/HTTPS
- Password security: Passwords are hashed using bcrypt with 12 rounds
- Session security: Sessions are encrypted, HTTP-only, secure cookies with SameSite protection
- Access control: Role-based access with tenant data isolation
- Audit logging: All data changes are logged with user identification
- Rate limiting: Login attempts are rate-limited to prevent brute force attacks
5. Data Retention
We retain personal data only for as long as necessary:
- Active accounts: Data retained while the account is active
- Audit logs: Retained for 12 months, then automatically deleted
- Deleted accounts: Soft-deleted for 90 days (recoverable), then permanently erased
- Session data: Expires after 2 hours of inactivity
6. Your Rights
Under UK GDPR, you have the right to:
- Access your personal data (Subject Access Request)
- Rectification of inaccurate data
- Erasure ("right to be forgotten")
- Data portability (receive your data in a machine-readable format)
- Restrict processing in certain circumstances
- Object to processing based on legitimate interest
- Withdraw consent at any time (for consent-based processing)
To exercise any of these rights, contact privacy@vardeck.app. We will respond within 30 days.
7. Children's Data
We take extra care with children's data. Pupil information is only processed with parental/guardian consent and for the purpose of providing swimming lessons and tracking progress. Medical notes are encrypted and accessible only to authorised staff.
8. Third-Party Services
We use the following sub-processors:
- Stripe (payment processing) — UK/EU data centres
- Hosting provider — UK-based data centres
We do not sell or share personal data with third parties for marketing purposes.
9. Data Breach Notification
In the event of a personal data breach, we will notify the Information Commissioner's Office (ICO) within 72 hours where the breach is likely to result in a risk to individuals' rights and freedoms. Affected individuals will be notified without undue delay where the breach is likely to result in a high risk.
10. Complaints
If you have concerns about how your data is handled, you can:
- Contact us at privacy@vardeck.app
- Lodge a complaint with the Information Commissioner's Office (ICO)
11. Changes to This Policy
We may update this privacy policy from time to time. Material changes will be communicated via email or in-app notification.