Privacy Policy

Last updated 4 July 2026

SportConsent is a parental-consent and safeguarding platform for organisations that run activities for children and young people. This notice explains what personal data is processed through the platform, the lawful basis for each use, how long it is kept, and the rights available under the UK GDPR and the Data Protection Act 2018.

1. Who is responsible for your data

There are two distinct roles under the UK GDPR:

  • Your sports organisation is the data controller. The club, association or organisation that registered a participant decides why and how their data is used, and is your first point of contact for any request about that data.
  • SentinelHQ Ltd is the data processor. We operate the SportConsent platform and process data strictly on documented instructions from the organisation. We do not use participant or parent data for our own purposes and never sell it.
If you are a parent or participant and want to access, correct or delete data, contact the sports organisation you registered with (the controller). They can action the request directly in SportConsent, and we support them as their processor.

2. Who the platform is for

Participants registered on SportConsent are children and young people — under 18 at the time of registration. Data about a child is provided by a parent or guardian with parental responsibility as part of the consent process. When a participant reaches 18, their record is flagged for review and erasure (see section 6).

3. What we process and why

Registration data is held on the participant record; the remaining fields are provided by the parent or guardian through the consent form.

DataLawful basisPurpose
Participant name, date of birthLegitimate interests / contractRegistration, identification and age verification within the organisation
Parent / guardian name, email, phoneConsent / contractSending the consent request and acting as the primary contact
Emergency contact detailsConsent (child safety)Reaching a nominated adult during an event if the parent is unavailable
GP / medical practice detailsConsent (child safety)Duty of care during activities and events
Consent declarations & timestampsConsent / record-keepingRecording that valid consent was given and when it expires

4. Medical and other special-category data

Medical conditions, allergies, dietary requirements and disability or additional-needs information are special-category data under Article 9 of the UK GDPR. It is collected only where a parent or guardian provides it on the consent form, and it is processed on the basis of explicit consentfor the purpose of safeguarding the child’s welfare and safety during activities and events. It is visible only to staff at the participant’s own organisation who are responsible for their care, and to designated safeguarding staff.

5. Who can see the data

Access is scoped to the organisation that owns the record and enforced in the database by row-level security — one organisation can never read another’s participants, consent forms or events. Within an organisation, access is limited by role (administrators, team managers, safeguarding officers and read-only staff). Parent consent forms are submitted through a one-time secure link and cannot be edited by staff after submission.

6. Sub-processors

We use a small number of vetted infrastructure providers to run the platform. Each processes data only to deliver its service and under a data-processing agreement:

ProviderServiceData processed
SupabaseDatabase, authentication and file storage (EU region)All application data: participant, consent and event records
VercelApplication hosting and deliveryRequest data; secrets held as encrypted environment variables
ResendTransactional emailParent/guardian email addresses and participant names within consent emails

Some providers process data outside the UK. Where they do, transfers are covered by UK International Data Transfer Agreements, Standard Contractual Clauses or an equivalent safeguard.

7. How long we keep data

  • Submitted consent is treated as valid for 12 months, after which a renewal is requested.
  • When a participant reaches 18, their record is flagged for review and permanent erasure under the data-minimisation principle — 18+ records are deleted, not archived.
  • An organisation can erase a participant at any time. Erasure permanently removes the participant record and consent form; a name-only audit entry is retained to evidence that a deletion took place, with no link back to the deleted personal data.

8. Your rights

Under the UK GDPR you have the right to access your data, to have it corrected or erased, to restrict or object to processing, and to data portability. To exercise any of these rights, contact the sports organisation you registered with (the controller). Requests are actioned in SportConsent, and a Subject Access Request report covering the participant’s record, consent form and related audit history can be produced.

You also have the right to complain to the Information Commissioner’s Office (ICO) at ico.org.uk. If a personal-data breach occurs that is likely to result in a risk to individuals, the ICO is notified within 72 hours as required by Article 33.

9. Contact

Data-protection enquiries: privacy@sentinelhq.co.uk. SportConsent is operated by SentinelHQ Ltd (United Kingdom).