Privacy Notice — Vale of Clwyd Scouts Booking

1. Who we are

Vale of Clwyd Scout District operates this event booking system to manage district and county Scouting events. We are the data controller for personal data collected through this system.

2. What data we collect

Account information

Full name, email address, phone number
Role within Scouting (parent, young person, leader, event staff)
Scout group and section
Date and record of consent to this privacy notice

Young people profiles

Full name, date of birth, section and group
Medical conditions, allergies, and medications (stored encrypted)
Dietary requirements
Emergency contact name, phone number, and relationship

Event staff profiles

Medical conditions and dietary requirements (stored encrypted)
Emergency contact details

Booking records

Event-specific dietary and medical notes
Stripe payment intent IDs (no card data is ever stored on this system)
Booking status and history

Technical data

Session data (stored server-side, not in cookies)
Audit log entries including IP addresses, timestamps, and actions taken

3. Why we collect it

Event management: To process bookings, collect deposits, and manage participant and staff lists
Safeguarding: To ensure event organisers have access to medical and emergency contact information for participants and staff
Communication: To send booking confirmations, payment receipts, and event reminders
Security and accountability: Audit logs help us detect and investigate unauthorised access or abuse

4. Legal basis

We process your data on the basis of your consent (given at registration) and our legitimate interest in delivering safe, well-organised Scouting events. Medical and dietary information is processed under Article 9(2)(c) UKGDPR (vital interests) and with your explicit consent.

5. Who can see your data

Admins: Can see all data across all groups
Section leaders: Can see names, section, and booking status of young people in their own group only. They cannot see medical details through this system
Event organisers: Receive participant lists including dietary and emergency contact information for events they are running
Parents/guardians: Can only see their own young people's records
Young people: Can only see their own booking records
Event staff: Cannot see participant lists or other users' data

We do not sell or share your data with third parties except as required to process payments (Stripe — see Stripe Privacy Policy) or where required by law.

6. Data security

Medical information is encrypted at rest using AES-256-GCM
Passwords are hashed using bcrypt (12 rounds) and never stored in plain text
All connections are encrypted in transit using TLS (HTTPS)
Sessions use httpOnly, secure, SameSite cookies

7. How long we keep your data

Booking records and young people profiles are retained for 3 years from the end of the relevant event. User accounts are retained until you request deletion. Audit logs are retained for a minimum of 3 years.

8. Your rights

Under UK GDPR you have the right to:

Access — receive a copy of all personal data we hold about you
Rectification — have inaccurate data corrected
Erasure — have your data deleted, subject to legal retention obligations
Data portability — receive your data in a structured, machine-readable format
Object — object to processing based on legitimate interests

To exercise any of these rights, log in and use the "My Data" section of your profile or contact the district administrator directly.

9. Cookies

This system uses a single session cookie (voc_session) which is strictly necessary for the system to function. No tracking or advertising cookies are used.

10. Contact

If you have questions about this privacy notice or how we handle your data, please contact the Vale of Clwyd Scout District administrator.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.