Legal
Privacy Policy
Last updated: March 2026
1. Who We Are
VolleyFirst / All Nations (“we”, “us”, “our”) is a UK-based sports organisation and the data controller responsible for your personal data collected through the VolleyFirst Platform (“Platform”). This Privacy Policy explains what data we collect, why we collect it, how we use it, and your rights under UK GDPR and the Data Protection Act 2018.
2. Data We Collect
2.1 Information you provide
- Account data: your name, email address, and password (managed securely by Clerk — we do not store raw passwords).
- Onboarding data: your date of birth, used solely to verify age eligibility.
- Application data: supplemental information submitted when applying to events (e.g. country of heritage, volleyball association, available dates).
2.2 Information collected automatically
- Payment data: transaction records (amount, date, status) linked to your account. Full card details are never stored by us — they are handled exclusively by Stripe.
- Usage data: basic server logs and error reports used to maintain and improve the Platform.
3. How We Use Your Data
We use your personal data to:
- Create and manage your account.
- Verify your age eligibility for events.
- Process and manage your event applications.
- Handle payments and issue refunds via Stripe.
- Send transactional emails relating to your applications and payments (via Resend).
- Comply with our legal obligations and resolve disputes.
4. Legal Basis for Processing
We rely on the following lawful bases under UK GDPR:
- Contract: processing necessary to fulfil your application and payment for events.
- Legitimate interests: operating and improving the Platform, fraud prevention, and security.
- Legal obligation: retaining financial records as required by law.
- Consent: where you have explicitly agreed to these Terms and this Privacy Policy at onboarding.
5. Third-Party Services
We share data with trusted third-party processors solely to operate the Platform:
- Clerk — authentication and account management. Your email and password are managed within Clerk's secure infrastructure.
- Supabase — our hosted database, stored in the EU. Access is controlled by row-level security policies.
- Stripe — payment processing. Stripe is PCI-DSS Level 1 certified. We only store payment status and amounts, not card details.
- Resend — transactional email delivery. Only your name and email address are passed to Resend for sending event-related notifications.
We do not sell your personal data to any third party.
6. Data Retention
We retain your personal data for as long as your account is active or as necessary to fulfil the purposes outlined in this policy. Financial transaction records are retained for seven years as required by UK tax law. You may request deletion of your account and associated data at any time (see Section 8).
7. Data Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- Encrypted data in transit (TLS) and at rest.
- Row-level security on all database tables, ensuring each user can only access their own data.
- Rate limiting on sensitive operations to prevent abuse.
- Server-side authentication checks on all data operations.
8. Your Rights
Under UK GDPR you have the right to:
- Access the personal data we hold about you.
- Rectification — ask us to correct inaccurate data.
- Erasure — ask us to delete your data where we have no lawful reason to retain it.
- Restriction — ask us to restrict processing in certain circumstances.
- Portability — receive your data in a structured, machine-readable format.
- Object to processing based on legitimate interests.
- Withdraw consent at any time where processing is based on consent.
To exercise any of these rights, please contact us via our contact page. We will respond within 30 days as required by law.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk if you believe we have not handled your data correctly.
9. Cookies
The Platform uses strictly necessary cookies for authentication session management (via Clerk). We do not use advertising or tracking cookies.
10. Children's Privacy
You must be at least 14 years old to register on the Platform. We do not knowingly collect personal data from anyone under 14. If you believe someone under 14 has registered, please contact us immediately so we can remove the account.
11. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will revise the “Last updated” date above. Continued use of the Platform after changes are posted constitutes your acceptance of the revised Policy.
12. Contact Us
For any privacy-related queries or to exercise your rights, please contact us via our contact page.