Tadpole Platform Privacy Policy
Version 2026-01-v3
Tadpole Privacy Policy
Effective Date: 29 January 2026 Version: 2026-01-v2
1. Introduction
Alex Baker and Paul French trading as Tadpole.club ("Tadpole", "we", "us") provides membership management services to clubs and associations. This privacy policy explains how we collect, use, and protect personal data.
2. Our Role: Controller vs Processor
| Context | Our Role | What This Means |
|---|---|---|
| Club member data | Data Processor | Your club decides what to collect; we process it on their behalf |
| Platform accounts | Data Controller | We decide what to collect for admin accounts and billing |
| Website visitors | Data Controller | We control analytics and contact form data |
Important: For club member data, your club is the Data Controller. Contact them to exercise your GDPR rights.
3. Data We Process
3.1 On Behalf of Clubs (Processor)
- Identity: Name, date of birth, photograph
- Contact: Email, phone, postal address
- Membership: Member number, tier, join date, renewal history
- Payments: Transaction records (card details handled by Stripe)
- Consents: Photo consent, marketing preferences
3.2 For Our Own Purposes (Controller)
- Admin accounts: Email, name, phone for club administrators
- Billing: Organisation name, billing address, payment history
- Security: IP addresses, login timestamps, audit logs
- Analytics: Aggregated, anonymised usage statistics
4. Server Locations & Data Transfers
All member data is stored within the European Union:
| Service | Purpose | Location | Transfer Mechanism |
|---|---|---|---|
| Supabase | Database, Auth, Storage | Ireland (EU) | Standard Contractual Clauses |
| Stripe | Payments | EU processing | EU-US Data Privacy Framework |
| Vercel | Web hosting | Global edge, EU primary | Standard Contractual Clauses |
| Brevo | France (EU) | N/A (EU-based) |
We do not transfer personal data outside the EU/EEA except where covered by approved transfer mechanisms.
5. Data Retention
| Data Type | Retention Period | Legal Basis |
|---|---|---|
| Financial records | 7 years | Tax law (Ireland) |
| Active member data | Duration of membership | Contract |
| Lapsed member data | 2 years after lapse | Legitimate interest |
| Photos (adults) | 1 year after membership lapse | Consent |
| Photos (juniors) | Deleted immediately on lapse | Child protection |
| Rejected applications | 1 year | Legal protection |
| Communications log | 3 years | Dispute resolution |
| Booking history | 3 years | Service records |
6. Your Rights Under GDPR
You have the following rights regarding your personal data:
| Right | Description | How to Exercise |
|---|---|---|
| Access (Art. 15) | Request a copy of your data | Contact your club |
| Rectification (Art. 16) | Correct inaccurate data | Contact your club |
| Erasure (Art. 17) | Request deletion (subject to retention requirements) | Contact your club |
| Portability (Art. 20) | Receive data in machine-readable format | Contact your club |
| Object (Art. 21) | Object to certain processing | Contact your club |
| Withdraw Consent | Revoke any consent given | Use consent management or contact club |
For club member requests: Contact your club administrator. They are the Data Controller.
For platform/admin account requests: Email privacy@tadpole.club
Response time: We respond to all requests within 30 days as required by GDPR.
7. Cookies
We use essential cookies only:
| Cookie | Purpose | Duration |
|---|---|---|
| Session | Authentication | Session |
| CSRF token | Security | Session |
| Theme preference | User experience | 1 year |
We do not use:
- Advertising cookies
- Third-party tracking cookies
- Analytics cookies that identify individuals
See our Cookie Policy for full details.
8. Security Measures
We implement comprehensive security measures:
- Encryption: TLS 1.3 in transit, AES-256 at rest
- Access Control: Role-based permissions, principle of least privilege
- Authentication: Multi-factor authentication for administrators
- Monitoring: Real-time security monitoring and alerting
- Auditing: Comprehensive audit logs of data access
- Testing: Regular security assessments and penetration testing
9. Data Processing Agreement
Clubs using our platform have access to our Data Processing Agreement (DPA), which documents our obligations as a Data Processor under GDPR Article 28.
View Data Processing Agreement
10. Changes to This Policy
We will notify clubs of material changes 30 days in advance via email. The current version is always available at this page.
11. Contact Us
Alex Baker and Paul French trading as Tadpole.club Ireland
- General Privacy: privacy@tadpole.club
- Data Protection Officer: dpo@tadpole.club
- Support: support@tadpole.club
Supervisory Authority: If you believe we have not addressed your concerns, you may lodge a complaint with the Irish Data Protection Commission at dataprotection.ie.