PRIVACY POLICY

This Privacy Policy explains how Competent Swimming Limited (“Competent Swimming”, “we”, “us”, or “our”) collects, uses, discloses and otherwise processes personal data when you use our services, and explains the rights available to you under applicable data protection laws.

We act as a data controller when we determine the purposes and means of the processing of your personal data in connection with:

• your use of our website at https://www.competentswimming.co.uk and any other website or online service we operate that links to this Privacy Policy (together, the Website);

• your use of our online dashboards, booking systems and other digital services (together, the Online Services); and

• your participation, or your child’s participation, in in-person swimming lessons and related activities (together, the Lessons).

If you do not agree with this Privacy Policy, you should not use our Website, Online Services or Lessons.

1. WHO WE ARE

Controller:
Competent Swimming Limited
Company number: 16413380
Registered office: Office 1, Izabella House, 24–26 Regent Place, City Centre, Birmingham, United Kingdom, B1 3NJ

We are registered with the UK Information Commissioner’s Office (“ICO”) as a data controller under registration number ZC044367.

Contact for privacy matters:
Email: support@competentswimming.co.uk

2. SCOPE OF THIS PRIVACY POLICY

This Privacy Policy applies to personal data we process about:

• prospective, current and former clients and users of our Website and Online Services;

• parents and legal guardians who create an account and book Lessons;

• swimmers (including children) whose details are provided by a parent/guardian;

• swim teachers and other individuals who interact with our systems (to the extent they do so via the Website or Online Services).

For certain relationships (for example, staff or contractors), we may provide additional privacy information separately.

3. PERSONAL DATA WE COLLECT

3.1 Data you provide directly

We collect personal data that you choose to provide to us, including when you:

• complete a “book now” or enquiry form;

• create and manage an account on our Online Services;

• book or manage Lessons;

• contact us by email, phone or via online forms;

• update swimmer information in the dashboard; or

• choose to receive marketing from us.

The personal data we collect may include:

Account and contact data (parent/guardian or adult client)

• First name and last name

• Email address

• Mobile or other telephone number

• Billing address

• Whether you are booking as the swimmer or on behalf of a swimmer (e.g. parent/guardian)

• Login credentials (such as email and password) for the Online Services

Swimmer data (including children)

• Swimmer first name and last name

• Swimmer age and/or date of birth

• Swimmer ability level and progression information

• Lesson history and attendance records

• Any other information you choose to provide about the swimmer in connection with Lessons

Health and safety information (special category data)
Where you choose to provide it to us, we may collect information relating to health, for example:

• relevant medical conditions, disabilities or injuries;

• allergies or other health considerations;

• any information reasonably required to adapt or manage the Lesson safely.

We use this information solely to help us provide Lessons safely and appropriately and to respond to incidents or emergencies. Because this information can be “special category data”, we will only collect and process it where you choose to provide it and where we have a suitable legal basis (see section 5).

Teacher/coach documentation (where applicable)
For swim teachers or prospective teachers using our systems, we may collect:

• identification and contact details;

• qualifications and training records;

• background documentation such as proof of right to work, criminal records checks and safeguarding/DBS-related documentation;

• scheduling and performance information relating to Lessons.

Payment-related data
We do not collect or store full payment card numbers or security codes on our own systems. When you make a payment:

• payment details are processed directly by our payment service providers (for example, Stripe, and in some cases Klarna, Revolut Pay or other methods available via Stripe);

• we receive and store limited information necessary for accounting and reconciliation, such as transaction identifiers, the last few digits of a payment card, payment status and the payment method used.

3.2 Data collected automatically

When you use the Website or Online Services, we may automatically collect certain information about your device and usage, including:

• IP address;

• device identifiers;

• browser type and version;

• operating system;

• time zone setting;

• pages visited, clickstream data and time spent on pages;

• login dates and times and related security logs.

This information is typically collected via cookies and similar technologies (see section 9 and our Cookie Policy).

3.3 CCTV and lesson recording

Some Lesson venues may use CCTV for security and safety purposes. In addition, we may record parts of Lessons (for example, for safety review, coaching feedback or training purposes), where permitted by the venue and where we consider it necessary and proportionate.

• CCTV operated by a venue may be controlled by the venue operator as its own data controller, under its own privacy notices.

• Any recordings that we control are processed in accordance with this Privacy Policy and only for limited, clearly defined purposes.

3.4 Data from third parties

We may receive personal data from third parties, such as:

• payment service providers (e.g. confirmation that a payment has succeeded or failed);

• analytics and advertising partners (e.g. aggregated information about site usage and campaign performance);

• communication and email providers (e.g. delivery or bounce information);

• background-check or verification services, in respect of teachers and staff.

We only obtain such data where it is lawful and necessary for the purposes described in this Privacy Policy.

4. PURPOSES FOR WHICH WE USE PERSONAL DATA

We process personal data only where we have a lawful basis to do so. The main purposes for which we use your data include:

1. Providing and managing the Lessons and Online Services

   • setting up and administering accounts;

   • managing bookings, Lesson schedules and attendance;

   • tailoring Lessons to swimmer ability and age;

   • communicating Lesson information, changes and cancellations;

   • handling support queries and complaints.

2. Safety and safeguarding

   • considering relevant medical and health information that you provide so that we can plan and adapt Lessons safely;

   • responding to incidents or emergencies;

   • using CCTV or recorded footage (where applicable) for safety, safeguarding, investigation and training.

3. Payments and billing

   • processing payments through our payment processors;

   • maintaining records for accounting and tax purposes;

   • managing refunds, credits and arrears in accordance with our Terms and Conditions.

4. Service administration and communication

   • sending service-related messages (for example, changes to Lesson times, venue closures, important policy updates);

   • providing information about your account or swimmer progress;

   • notifying you of updates to our Terms and Conditions, Privacy Policy or Cookie Policy.

5. Marketing and promotions

   • sending you information about Competent Swimming products, services and offers, where you have opted to receive marketing;

   • tailoring certain communications based on your interactions with us (for example, plans you have purchased or Lessons attended).

   • You can change your marketing preferences at any time in the dashboard or by using the unsubscribe link in marketing emails.

6. Analytics and improvement

   • monitoring usage of the Website and Online Services;

   • improving the design, performance and user experience of our systems;

   • developing new products, services and features.

7. Security, fraud prevention and compliance

   • protecting the security and integrity of our systems;

   • detecting and preventing fraud, abuse or misuse;

   • enforcing our Terms and Conditions and other agreements;

   • complying with legal obligations, responding to requests from law enforcement or regulators and defending our legal rights.

5. LEGAL BASES FOR PROCESSING

Under the UK GDPR and Data Protection Act 2018, we must identify a lawful basis for each purpose for which we process personal data. Depending on the context, we rely on one or more of the following legal bases:

1. Performance of a contract
   We process personal data where it is necessary to enter into or perform our contract with you, including to:

   • set up and maintain your account;

   • provide Lessons and Online Services;

   • manage bookings, payments, credits and refunds;

   • communicate with you about Lessons and your account.

2. Legitimate interests
   We process personal data where it is necessary for our legitimate interests, provided that these interests are not overridden by your rights and freedoms. These interests include:

   • running and developing our business;

   • ensuring the safety and quality of our Lessons;

   • monitoring and improving our Website and Online Services;

   • preventing fraud and misuse;

   • managing queries and complaints.

   • Where we rely on legitimate interests, we assess and balance the impact of the processing on individuals.

3. Consent
   In some cases, we process personal data based on your consent, for example:

   • sending you electronic marketing communications where you have opted in;

   • processing certain health-related information that you choose to provide to us for Lesson planning, where explicit consent is required;

   • using certain non-essential cookies and similar technologies, in accordance with our Cookie Policy.

   • You may withdraw your consent at any time (see section 11). Withdrawal of consent will not affect the lawfulness of processing before consent was withdrawn.

4. Legal obligations
   We process personal data where necessary to comply with our legal obligations, for example in relation to:

   • tax and accounting;

   • responding to lawful requests from public authorities;

   • child safeguarding, health and safety and other regulatory requirements.

5. Vital interests
   In rare cases, we may process personal data, including health information, where necessary to protect your vital interests or those of another person, for example in an emergency situation at a Lesson.

Special category (health) data

Where we process health-related information that you provide (for example, medical conditions relevant to swimming), we do so:

• with your explicit consent where required; and/or

• where necessary for reasons of substantial public interest, such as safeguarding or health and safety, in line with applicable UK data protection law; and/or

• where necessary to protect the vital interests of you or another person, where you are physically or legally incapable of giving consent.

You may choose not to provide health information, but this may affect our ability to adapt Lessons to a swimmer’s needs.

6. CHILDREN’S DATA

We recognise the importance of protecting children’s privacy.

• Our accounts and bookings are created and managed by parents or legal guardians, who act as the main contact and contracting party.

• We collect children’s data (such as name, age and ability) only as necessary for Lesson planning, safety and administration.

• We do not use children’s personal data for direct marketing. Any marketing communications are sent to the parent/guardian contact details.

• Where we rely on consent to process children’s data, we obtain that consent from the parent or legal guardian.

Parents and guardians may contact us at support@competentswimming.co.uk to exercise privacy rights on behalf of their child.

7. SHARING OF PERSONAL DATA

We do not sell your personal data. We may share personal data with the following categories of recipients, where lawful and necessary:

1. Service providers (processors)
   We use third-party service providers to support our business and provide the Website, Online Services and Lessons, including:

   • payment service providers (e.g. Stripe, and payment options available via Stripe such as Klarna or Revolut Pay);

   • cloud hosting, database and authentication providers (for example, providers used to host the dashboard and user accounts, such as Supabase);

   • email, SMS and communication providers;

   • analytics and advertising partners;

   • IT support and security providers.

   • These providers are only permitted to process personal data on our behalf and in accordance with our instructions.

2. Lesson venues and partners
   Where Lessons are delivered at third-party venues or in partnership with other organisations, we may share limited personal data (for example, swimmer names, Lesson times and relevant safety information) to organise and deliver Lessons and comply with venue rules.

3. Professional advisors and insurers
   We may share personal data with our professional advisors (such as lawyers, auditors and insurers) where necessary in connection with legal claims, audits, insurance or advice.

4. Business transfers
   If we sell, transfer or merge parts of our business or assets, or if we seek to acquire or merge with another business, we may share personal data with actual or potential buyers or merger partners, subject to appropriate confidentiality protections.

5. Legal and regulatory disclosures
   We may disclose personal data where required to do so by law or where we believe that such action is necessary to:

   • comply with a legal obligation or request;

   • protect the rights, property or safety of Competent Swimming, our clients, swimmers or others;

   • investigate fraud, safeguarding concerns or security incidents.

8. INTERNATIONAL TRANSFERS

Some of our service providers may be located outside the United Kingdom and the European Economic Area (EEA), or may store personal data in other countries.

Where personal data is transferred outside the UK/EEA, we will ensure that appropriate safeguards are in place, such as:

• a decision by the UK government that the country provides an adequate level of data protection; or

• standard contractual clauses and any required UK addendum or equivalent approved mechanism.

You can contact us for further information about international transfers and the safeguards we use.

9. COOKIES AND SIMILAR TECHNOLOGIES

We use cookies and similar technologies on the Website and Online Services to:

• enable core functionality (for example, login and session management);

• remember your preferences;

• help secure the Website;

• understand how our Website and Online Services are used;

• support marketing and advertising, where permitted.

For more detailed information about the cookies we use, the purposes for which we use them, and how you can manage your cookie preferences, please refer to our Cookie Policy.

Most web browsers allow you to control cookies through their settings. If you disable or refuse cookies, some parts of the Website or Online Services may not function properly.

10. DATA RETENTION

We retain personal data only for as long as reasonably necessary for the purposes described in this Privacy Policy and to comply with legal, accounting or reporting requirements.

In particular (subject to applicable law and legitimate business needs):

• Account and Lesson data: ordinarily retained for up to 12 months after your account becomes inactive (for example, after the last Lesson or after you stop using the Online Services), unless we need to retain the data for longer in connection with legal claims, safeguarding or other legitimate reasons.

• Financial and transaction records: may be retained for up to six years from the end of the relevant financial year, in line with tax and accounting requirements.

• CCTV and recordings: retained for the period necessary for safety, security, investigation and training purposes, and then deleted or anonymised.

• Marketing data: retained for as long as you remain subscribed and for a short period afterwards to record your opt-out.

When personal data is no longer required, we will delete it or anonymise it. Where immediate deletion is not technically possible (for example, because information is stored in backup archives), we will securely store it and isolate it from further processing until deletion is possible.

11. SECURITY OF YOUR PERSONAL DATA

We use appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access.

These measures include, where appropriate:

• access controls and authentication;

• encryption and secure transmission;

• pseudonymisation of certain data sets;

• regular security testing and monitoring;

• staff training and confidentiality obligations.

However, no method of transmission over the Internet or method of electronic storage is completely secure. While we strive to protect your personal data, we cannot guarantee its absolute security. You are responsible for keeping your account credentials confidential and for using secure networks when accessing the Online Services.

12. YOUR RIGHTS

Subject to certain conditions and exceptions under applicable law, you may have the following rights in relation to your personal data:

• Right of access – to obtain confirmation as to whether we process your personal data and, if so, to receive a copy.

• Right to rectification – to have inaccurate personal data corrected and incomplete data completed.

• Right to erasure – in certain circumstances, to request deletion of your personal data.

• Right to restriction of processing – in certain circumstances, to restrict the processing of your personal data.

• Right to data portability – where processing is based on consent or contract and carried out by automated means, to receive your personal data in a structured, commonly used and machine-readable format and to request that we transmit it to another controller where technically feasible.

• Right to object – to object, on grounds relating to your particular situation, to processing based on our legitimate interests, and to object at any time to processing for direct marketing.

• Rights in relation to consent – where we rely on your consent, to withdraw that consent at any time.

You can exercise your rights by contacting us using the details in section 13. We may need to verify your identity before responding.

If you withdraw consent, this will not affect the lawfulness of processing carried out before withdrawal, and we may continue to process your data where we have another lawful basis.

If you are a parent or legal guardian, you may exercise these rights on behalf of your child in relation to their personal data.

Complaints

If you are unhappy with how we handle your personal data, we encourage you to contact us first so that we can try to resolve your concerns.

You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO):

• Website: https://ico.org.uk

• Telephone: 0303 123 1113

If you reside in another country, you may have the right to complain to your local data protection authority.

13. DO-NOT-TRACK (DNT) AND SIMILAR SIGNALS

Some web browsers and devices may transmit “Do-Not-Track” (“DNT”) signals. At present, no uniform industry standard has been established for recognising and responding to such signals, and we do not currently respond to DNT signals.

If a standard for online tracking is adopted in the future that we are required to follow, we will update this Privacy Policy accordingly.

14. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time, for example to reflect changes in law, technology or our services.

When we make changes, we will:

• update the “Last updated” date at the top of this Privacy Policy; and

• where appropriate, provide additional notice (for example, by email or prominent notice on the Website or Online Services, particularly for material changes).

We encourage you to review this Privacy Policy periodically to stay informed about how we process your personal data.

15. CONTACTING US

If you have any questions, requests or concerns about this Privacy Policy or our processing of your personal data, please contact us at:

Competent Swimming Limited
Office 1, Izabella House
24–26 Regent Place
City Centre
Birmingham
United Kingdom
B1 3NJ

Email: support@competentswimming.co.uk

You may also contact us via the contact form or phone number provided on our Website at https://www.competentswimming.co.uk/contact-competent-swimming/.

16. HOW TO REVIEW, UPDATE OR DELETE YOUR DATA

You can review and update certain personal data (such as your contact details and marketing preferences) by logging into your account on the Online Services.

To request access to, correction or deletion of other personal data that we hold about you (or about your child), or to exercise any of the rights described in section 12, please contact us at support@competentswimming.co.uk. We will respond to your request in accordance with applicable data protection laws.