Privacy Notice

1. Who We Are

Aberfoyle After School Club is operated by Aberfoyle Parent Council, an unincorporated association. We are the data controller for the personal information we hold about you and your children.

If you have any questions about this notice or how we handle your data, please contact us at: aberfoyleasc@gmail.com.

2. What Information We Collect

We collect and process the following personal data:

  • Parent / guardian information: name, email address, and phone number.
  • Emergency contact: name and phone number for an alternative emergency contact.
  • Children's information: name, class, and any relevant medical information (allergies, conditions, medication requirements).
  • Booking records: details of sessions booked, including dates and times.
  • Collection register: each day, a read-only register listing children's names grouped by class is generated and shared with the school front office via a time-limited link. This link expires at the end of the day it covers and does not include medical, contact, or consent information.
  • Pickup codes: a unique 6-digit code generated for each booking, used to verify identity at collection. These codes are stored only within our system and are never shared with any third-party service.
  • Payment information: a reference to your payment transaction and the amount paid. We do not store card details; payments are processed by Stripe, a third-party payment provider.
  • Authentication data: session tokens used to keep you signed in. Sign-in is via a magic link sent to your email address — no passwords are stored.

3. Why We Collect It (Lawful Basis)

We process your data under the following lawful bases as defined by the UK GDPR:

  • Contract: to provide the after-school club service you have booked.
  • Legitimate interests: to manage bookings and communicate session changes.
  • Vital interests: to act in the best interests of a child in an emergency (e.g. contacting emergency contacts or sharing medical information with emergency services).

4. Who Has Access to Your Data

Your personal data may be accessed by:

  • Club staff and volunteers who are directly involved in running sessions and need the information to carry out their duties safely.
  • Aberfoyle Parent Council committee members responsible for administering the club.
  • Aberfoyle Primary School front office — receives a daily time-limited link to a read-only collection register showing children's names and classes only. The link expires at the end of the day it covers.
  • Our hosting and software provider(s), who process data on our behalf under a data processing agreement.
  • Stripe (our payment processor) — receives your email address, booking dates and times, and payment details in order to process transactions. Stripe does not receive children's names or any other child-specific information. Stripe processes data under their own privacy policy.
  • Resend (our email delivery provider) — delivers sign-in links, booking notifications, and daily collection register links on our behalf. Emails sent to parents may contain booking dates, times, and reference numbers. Collection register emails sent to the school contain only a link to the register page. Children's names are not included in the body of any email sent through this service. Resend processes data under their own privacy policy.
  • Amazon Web Services (AWS) — hosts database backups. Backups are encrypted using AWS-managed keys and stored in the EU (London) region. AWS does not access your data except as necessary to provide the storage service, under their own privacy notice.

We will not sell your data to third parties. We may share information with statutory authorities (such as social services or the police) where required by law or to protect a child's welfare.

5. How We Protect Your Data

We take the security of your personal data seriously and have implemented appropriate technical and organisational measures to protect it:

  • Encryption in transit: all data sent between your device and our servers is encrypted using HTTPS (TLS).
  • Encryption at rest: the database storing your personal information is encrypted at rest. Database backups are also encrypted at rest using server-side encryption in Amazon S3.
  • Authentication: access to the booking system requires sign-in via a magic link sent to your email address. Only authenticated parents, guardians, and authorised club administrators can view or manage bookings.
  • Access control: staff and administrators are granted access only to the information they need to fulfil their role. Administrative accounts with access to parent and child data are protected by two-factor authentication.

6. How Long We Keep Your Data

We retain personal data for the following periods:

  • Active account data: held for as long as your account remains active and for up to 12 months after your last booking.
  • Financial records: retained for 7 years to meet HMRC requirements.

After the relevant retention period, data is securely deleted or anonymised.

7. Your Rights Under UK GDPR

You have the right to:

  • Access the personal data we hold about you (a Subject Access Request).
  • Rectification — ask us to correct inaccurate data.
  • Erasure — ask us to delete your data where there is no longer a lawful basis for holding it.
  • Restriction — ask us to limit how we use your data.
  • Portability — receive a copy of your data in a portable format.
  • Object to processing based on legitimate interests.

To exercise any of these rights, please contact us at aberfoyleasc@gmail.com. We will respond within one month.

If you are not satisfied with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO).

8. Cookies and Website Data

This booking system uses session cookies to keep you logged in. These are strictly necessary for the service to function and do not track you across other websites. No third-party analytics or advertising cookies are used.

9. Changes to This Notice

We may update this notice from time to time. When we make significant changes we will notify you by email or by displaying a notice in the booking system. The date at the foot of this page shows when it was last reviewed.

Last reviewed: March 2026