Data & Privacy
Capture processes personal data on behalf of your golf club. This page explains how that works, where your data is stored, and what your club is responsible for under UK GDPR.
Your Role and Ours
Under UK GDPR, your club is the data controller — you decide what member data to collect and why. Albatross is the data processor — we process that data on your behalf through Capture, but only in the ways you instruct us to.
| Responsibility | Who |
|---|---|
| Having a lawful basis to hold member data | Your club |
| Maintaining a privacy policy on your website | Your club |
| Handling subject access requests from members | Your club (we'll support you) |
| Deciding whether to report a breach to the ICO | Your club |
| Processing data only on your instructions | Albatross |
| Keeping data secure on the platform | Albatross |
| Notifying you of any breach within 72 hours | Albatross |
Data Processing Agreement
Before any member data is uploaded to Capture, a Data Processing Agreement (DPA) must be signed between your club and Albatross. This is a legal requirement under UK GDPR Article 28.
If you haven't signed a DPA yet, contact us at james@albatross.digital.
Where Your Data Is Stored
Capture runs on secure cloud infrastructure hosted in the United States. There is no EU or UK data centre option. This is covered by the UK Extension to the EU-US Data Privacy Framework, which provides an equivalent level of data protection.
Your data is:
- Encrypted at rest (AES-256) and in transit (TLS 1.2+)
- Hosted on infrastructure certified to SOC 2 Type II and ISO 27001 standards
- Never used for any purpose outside of delivering Capture to your club
What Your Club Needs to Have in Place
To use Capture lawfully, your club should have the following in place:
Lawful basis for processing — For existing members, legitimate interests is typically sufficient. For marketing to prospects and non-members, you'll generally need consent. If you're unsure, your county golf union or a data protection adviser can help.
A privacy policy — Your club's website should have a privacy policy that explains what data you collect, why, and how members can exercise their rights (access, deletion, correction). It should reference that you use third-party software to manage member data.
Opt-out mechanism — Any marketing emails sent through Capture include an unsubscribe link automatically. Members who unsubscribe should not receive further marketing communications.
Member Rights
Your members have rights under UK GDPR, including:
- Subject Access Request (SAR) — A member can request to see all personal data you hold on them. You have one month to respond. We can export a member's data from Capture to help you fulfil this.
- Right to erasure — A member can ask to be deleted. Contact us and we'll remove them from Capture.
- Right to correction — Members can ask you to correct inaccurate data. This can be updated directly in Capture.
If a Data Breach Occurs
If you become aware of a potential data breach — for example, an email sent to the wrong person containing member data — contact us immediately:
- Email: james@albatross.digital
- Phone / WhatsApp: 07966 072952
We'll work with you to assess the situation. If the breach needs to be reported to the Information Commissioner's Office (ICO), that is your club's responsibility as the data controller. We'll provide whatever information you need to make that assessment.
Questions
If you have any questions about how your data is handled, get in touch at james@albatross.digital.