Privacy Policy

1. About this policy

This policy explains how Live Test 4 27Apr collects, uses, stores, and protects personal data when you use this website, register a child for coaching, or interact with our services. It is written to comply with the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (where applicable), the Data Protection Act 2018, the Privacy and Electronic Communications Regulations (PECR), and the Information Commissioner's Office (ICO) Age Appropriate Design Code (Children's Code).

We use plain English wherever possible. If anything below is unclear, please contact us at lukas+test4@flowedgeai.com and we will explain.

2. Who is the data controller?

Live Test 4 27Apr ("the Academy", "we", "us", "our") is the data controller responsible for personal data collected through this website and our coaching services. This means we decide what data is collected, why it is collected, and how it is used.

The Academy operates on the AcademyOS platform (academyos.co.uk). AcademyOS is a trading brand of FlowEdge AI Ltd (a company registered in England and Wales, company number 16247733, registered office 193 Cambridge Street, Aylesbury, Buckinghamshire, HP20 1BQ, United Kingdom). FlowEdge AI Ltd acts strictly as our data processor — they host and secure the technology that makes the Academy's services work, but they do not use Academy or parent data for their own purposes. A signed Data Processing Agreement (DPA) is in place between the Academy and FlowEdge AI Ltd as required by UK GDPR Article 28.

Academy contact details:

• Name: Live Test 4 27Apr
• Privacy queries: lukas+test4@flowedgeai.com

If you would like the Academy's ICO registration number, registered company number, or the name of our Designated Safeguarding Lead, please email us at the address above and we will provide them.

3. What data we collect

The personal data we may collect falls into the following categories:

3.1 Parent / guardian data

• Full name, email address, phone number, and home address
• Account password (hashed — we never see or store the plain text)
• Relationship to the child and parental responsibility status
• Marketing preferences and consent records
• Communications with the Academy (emails, portal messages, chatbot conversations)

3.2 Child / player data

• Full name, date of birth, age group, and gender
• School and year group (where provided)
• Medical information: allergies, medical conditions, medication, GP details
• Emergency contact details
• Attendance records, RSVPs, session participation, and player development ratings
• Match results and performance notes recorded by coaching staff
• Photos and video footage — only ever processed with separate, explicit parental consent

3.3 Financial data

• Registration and payment history
• Card details are never stored on our servers — they are handled directly by Stripe (PCI-DSS Level 1 certified). We only retain a tokenised reference and the last 4 digits for receipts and refund processing.

3.4 Technical data

• IP address (truncated where possible) and approximate location
• Browser type, device type, and operating system
• Pages viewed, referrer, and timestamps (essential security & service-quality logs only)
• Cookies — see our Cookie Policy

3.5 Special category data

Medical information about a child counts as special category data under UK GDPR Article 9. We process it only on the lawful bases of (a) explicit parental consent and (b) protection of vital interests (i.e. a medical emergency). It is encrypted at rest, accessible only to authorised coaching staff, and never used for marketing or analytics.

4. Children's data — our commitments under the ICO Children's Code

Our coaching services are designed for children. We follow the 15 standards of the ICO Age Appropriate Design Code and treat children's privacy as a fundamental, not a bolt-on. In practice this means:

• Best interests of the child: every product decision that affects children is reviewed against the child's best interests.
• Parental consent (UK GDPR Article 8): we only collect a child's data after a parent or legal guardian has registered an account, set a password, and verified their email address. Children do not register themselves on this platform.
• No profiling of children: we do not build behavioural or marketing profiles of children, do not use children's data for behavioural advertising, and do not use "nudge" techniques on children.
• No sharing for marketing: children's data is never sold, rented, or shared with third parties for marketing purposes.
• Data minimisation: we collect only what is needed to deliver coaching safely. Optional fields are clearly marked.
• High-privacy defaults: photo/video consent, marketing emails, and any optional features default to off until a parent actively opts in.
• Strict access controls: a child's record is visible only to (a) the registered parent/guardian, (b) the coaching staff of the squad the child is assigned to, and (c) authorised Academy administrators. Row-Level Security on the database enforces this at the data layer, not just in the user interface.
• No automated decisions with significant effect: any AI features (e.g. coach-facing report drafting) produce drafts only for an authorised coach to review, edit, and decide on before anything is sent or actioned.
• Right to be forgotten: a parent can delete their account and their child's data at any time from the Parent Portal. See section 8.

If you are a child reading this and you would like your data removed, please ask a parent or guardian to contact us — or email lukas+test4@flowedgeai.com directly and we will help.

5. How and why we use your data (lawful bases)

Under UK GDPR Article 6 we must have a lawful basis for every use of personal data:

• Performance of a contract — processing registrations, taking payments, scheduling sessions, and delivering coaching to a registered child.
• Legitimate interests — running the Academy day-to-day (e.g. tracking attendance, recording match results, keeping audit logs of staff actions for accountability, fraud prevention, and basic, privacy-respecting analytics). We have carried out a Legitimate Interests Assessment for each of these and balance them against your rights — you may object at any time.
• Consent — for marketing emails, publishing photos or videos of children, and for any non-essential cookies. Consent can be withdrawn at any time without affecting the lawfulness of processing carried out before withdrawal.
• Legal obligation — keeping financial records for HMRC (6 years), responding to court orders or police requests, fulfilling safeguarding duties under the Children Act 1989/2004 and Working Together to Safeguard Children.
• Vital interests — accessing medical/emergency contact information to protect a child's life or health in an emergency.
• Explicit consent (special category data) — processing medical information about your child is on the basis of your explicit consent (Article 9(2)(a)) and protection of vital interests (Article 9(2)(c)).

6. Who has access to your data

Strictly multi-tenant isolation. AcademyOS is a multi-tenant platform — many academies use the same underlying technology — but every record is tagged with the academy that owns it (org_id) and database-level Row-Level Security ensures that no academy can ever see another academy's data, even by accident or via a software bug. Parents see only their own children. Coaches see only the squads they coach. Academy administrators see only their own academy.

Within the Academy, the following people can access personal data on a need-to-know basis:

• The parent/guardian who registered the account (their own record + their children's)
• The Academy's head coach and team coaches (the squads they are assigned to)
• The Academy's administrators (operational and financial data)
• The Designated Safeguarding Lead (where a safeguarding concern is raised)
• A small number of authorised AcademyOS engineers, only when required to provide technical support, fix a bug, or investigate a security incident — every such access is audit-logged.

7. Sub-processors and third parties

AcademyOS uses the following carefully selected sub-processors. Each is GDPR-compliant, has a signed Data Processing Agreement with AcademyOS, and is bound by the Standard Contractual Clauses where any data transfer leaves the UK/EEA:

We may also disclose personal data where legally required (e.g. to HMRC, the police, or in response to a valid court order), or where disclosure is necessary to safeguard a child.

We do not sell personal data, and we do not share children's data with advertising networks, data brokers, or any third party for marketing purposes.

8. Your rights under UK GDPR

You have the following rights in relation to your personal data and your child's data:

• Access — request a copy of all data we hold about you and your child.
• Rectification — ask us to correct inaccurate or incomplete data.
• Erasure ("right to be forgotten") — ask us to delete your data, subject to limited legal exceptions (see retention).
• Restriction — ask us to pause processing while a query is resolved.
• Portability — receive your data in a machine-readable (JSON) format you can take elsewhere.
• Object — object to processing based on legitimate interests, or to direct marketing at any time.
• Withdraw consent — for any consent-based processing, without affecting the lawfulness of prior processing.
• Not be subject to automated decisions — we do not make solely automated decisions that have a significant effect on you or your child.

The fastest way to exercise the access, portability, and erasure rights is from your Parent Portal profile — both Export My Data and Delete My Account are self-service. Otherwise, email us at lukas+test4@flowedgeai.com and we will respond within one calendar month, as required by UK GDPR Article 12(3).

We will ask you to verify your identity before disclosing or deleting personal data, to protect against fraudulent requests.

9. How long we keep your data

We keep personal data only for as long as is necessary for the purpose it was collected:

When the retention period ends, data is either permanently deleted or irreversibly anonymised (so that it can no longer be linked back to a person).

10. Security

We take a defence-in-depth approach to security. Technical and organisational measures in place include:

• HTTPS / TLS 1.2+ encryption on all connections (HSTS preloaded)
• Per-academy Row-Level Security — every database row is org-scoped; no SQL query can leak data across academies even in the event of an application bug
• Encryption at rest (AES-256) for the database and all uploaded files
• Passwords stored as one-way salted hashes (we never see your plaintext password)
• Rate limiting, CSRF protection, and bot/honeypot defences on all public forms
• Strict Content Security Policy and security headers (HSTS, X-Frame-Options, X-Content-Type-Options)
• Audit logging of staff actions (every read/write to a sensitive record is logged)
• Two-factor authentication available for coaching staff
• Quarterly access reviews and least-privilege principles for engineering staff
• Regular automated and manual security testing; responsible disclosure programme

Despite our best efforts, no method of transmission or storage is 100% secure. If we ever become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and notify affected individuals without undue delay, as required by UK GDPR Articles 33 and 34.

11. International transfers

Your data is primarily stored on EU-based servers (Supabase, Frankfurt). Some sub-processors (Stripe, Resend, Google) may process limited operational data in the United States. Where data leaves the UK / EEA, it is protected by the UK International Data Transfer Agreement / EU Standard Contractual Clauses, plus supplementary measures such as encryption in transit and at rest.

12. Cookies & analytics

We use a small number of strictly necessary cookies to keep you signed in and to protect against fraud. Analytics and any non-essential cookies are only set if you give consent via the cookie banner. Full details, including cookie names and durations, are in our Cookie Policy.

13. Marketing communications

We will only send marketing emails (e.g. news of upcoming camps, offers, or events) where you have actively opted in. Every marketing email contains a one-click unsubscribe link, and you can also manage your preferences from your Parent Portal at any time. We never use children's data for marketing.

14. Changes to this policy

We may update this policy from time to time to reflect changes in the law or our services. The "Last updated" date at the top will always reflect the most recent revision. Material changes will be notified by email or via a banner on the Parent Portal at least 14 days before they take effect.

15. Complaints

If you have a concern about how we handle your or your child's data, please contact us first at lukas+test4@flowedgeai.com — we take every concern seriously and will work with you to resolve it. You also have the right at any time to lodge a complaint with the UK Information Commissioner's Office (ICO):

• Website: ico.org.uk/make-a-complaint
• Helpline: 0303 123 1113
• Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

16. Contact us

For any privacy-related question, request, or concern:

• Live Test 4 27Apr (data controller): lukas+test4@flowedgeai.com
• FlowEdge AI Ltd (trading as AcademyOS, data processor): dpo@academyos.co.uk — company no. 16247733, registered office 193 Cambridge Street, Aylesbury, Buckinghamshire, HP20 1BQ, United Kingdom.