ClubSentinel is a health and safety compliance management platform operated by Pin High Media / AIM Studio (“we”, “us”, “our”). We provide software-as-a-service to sports clubs and similar organisations to help them manage their health and safety obligations.

For the purposes of UK and EU data protection law, Pin High Media / AIM Studio acts as the Data Processor on behalf of your club, which is the Data Controller.

If you have any questions about this policy, please contact us at: hello@aimstudio.dev

We collect and process the following categories of personal data:

• Account data: name, email address, job title, department, and role within your club.
• Club data: club name, address, and contact details provided during onboarding.
• Health & safety records: incident reports, RIDDOR logs, training records, inspection reports, maintenance records, document registers, asset registers, risk assessments, and method statements — all entered by your club's staff.
• Usage data: log entries recording which actions were taken, by which user, and when (for audit trail purposes).
• Authentication data: email address and encrypted password managed by Supabase Auth.

We do not collect sensitive personal data (as defined by UK GDPR Article 9) unless it is incidentally included in records entered by your club's staff.

We process personal data on the following legal bases:

• Contract performance (Article 6(1)(b)): Processing necessary to provide the ClubSentinel service you have subscribed to.
• Legitimate interests (Article 6(1)(f)): Security logging, fraud prevention, and platform improvement.
• Legal obligation (Article 6(1)(c)): Where we are required to retain records to comply with applicable law.

All data is stored on Supabase infrastructure hosted in the EU West (Ireland) region. Data is:

• Encrypted at rest using AES-256.
• Encrypted in transit via TLS 1.2 or higher (HTTPS).
• Subject to row-level security (RLS) policies ensuring each club can only access its own data.
• Backed up automatically by Supabase.

The application is hosted on Vercel, with servers in the EU region where possible.

• During your subscription: all data is retained and accessible.
• After cancellation: data is retained for 30 days to allow you to export it, then permanently deleted.
• Backups: may be retained for up to 90 days after deletion before being purged from backup systems.

You may request earlier deletion by contacting us at hello@aimstudio.dev.

As a data subject, you have the following rights:

• Right of access: you may request a copy of the personal data we hold about you.
• Right to rectification: you may ask us to correct inaccurate or incomplete data.
• Right to erasure (“right to be forgotten”): you may ask us to delete your personal data, subject to legal retention obligations.
• Right to portability: you may request your data in a machine-readable format (JSON or CSV).
• Right to restrict processing: you may ask us to limit how we use your data in certain circumstances.
• Right to object: you may object to processing based on legitimate interests.
• Right to withdraw consent: where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, contact us at hello@aimstudio.dev. We will respond within 30 days.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

We do not sell, rent, or share your personal data with third parties for marketing purposes.

We use the following sub-processors to deliver the service:

• Supabase Inc. — database, authentication, and storage (EU West, Ireland).
• Vercel Inc. — application hosting and content delivery.

All sub-processors are contractually bound to process data only on our instructions and in compliance with UK/EU GDPR. A full list of sub-processors is available in our Data Processing Agreement.

We may disclose data if required by law, court order, or to protect the rights and safety of our users.

ClubSentinel uses session cookies only. These are strictly necessary to maintain your authenticated session and expire when you close your browser or sign out.

We do not use advertising cookies, tracking pixels, or third-party analytics services that track individual users.

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware, and will inform affected clubs without undue delay.

We may update this policy from time to time. We will notify you of material changes via email or an in-app notice at least 14 days before the changes take effect. Continued use of the service constitutes acceptance of the updated policy.

For any privacy-related queries or to exercise your rights: