NEW MEMBERS   We welcome new members to join our Club!    

Privacy Policy

This policy explains how Surrey Cycling Club collects, uses, stores, and protects your personal data. It covers your rights under UK GDPR and how to contact us with any questions.

1. About This Policy

This Privacy Policy explains how Surrey Cycling Club Limited ("we", "us", "our", "the Club") collects, uses, stores, and protects your personal data when you become a member, apply as a demo rider, use our website, or participate in club activities.

We are committed to protecting your privacy and handling your data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Data Controller

The data controller responsible for your personal data is:

Surrey Cycling Club Limited
The Old Engineering Works, 47 Queens Road, Weybridge, KT13 9UH

For any data protection queries, requests, or complaints, please contact us at:
report@surreycyclingclub.co.uk

3. What Personal Data We Collect

3.1 Membership and Registration Data

When you register as a member or apply as a demo rider, we collect:

  • First name and last name
  • Email address
  • Mobile phone number
  • Date of birth
  • Gender
  • Closest city or town
  • Cycling experience and fitness level (including longest ride distance, fitness self-assessment, road bike ownership, and previous club experience)
  • Emergency contact name and phone number (optional, provided voluntarily)
  • Membership preferences and group selections
  • Strava account status and profile URL (if provided)
  • British Cycling membership status and membership number (if provided)
  • Zwift club invite preference
  • How you discovered the club and referral name (if applicable)
  • IP address recorded at the time of waiver acceptance

3.2 Financial Data

When you purchase a membership or items from our online shop, we collect:

  • Name and billing address
  • Payment transaction records

We do not store credit card or bank details on our servers. Financial records (invoices, transaction history) are processed and stored by our accounting provider (see Section 8).

3.3 Ride and Activity Data

When you participate in club rides, we may collect:

  • Ride submissions and ride history
  • Route preferences
  • Ride captain notes and feedback

3.4 Communication Data

When you contact us or we contact you, we may collect:

  • Email correspondence
  • WhatsApp messages sent via our notification system
  • Feedback and complaints

3.5 Website Data

When you visit our website, we collect limited technical data through essential cookies (see our Cookie Policy for details).

4. How We Use Your Data

We use your personal data for the following purposes:

Purpose Data Used Lawful Basis
Managing your membership Name, email, phone number, date of birth, gender, city, cycling experience Contract – necessary to provide membership services
Processing demo rider applications Name, email, phone number, date of birth, gender, city, cycling experience, Strava, British Cycling status Legitimate interests – to evaluate suitability for demo rides
Organising and managing club rides Name, email, ride preferences, captain notes Legitimate interests – to safely operate club rides
Emergency and welfare access during rides Member phone number, emergency contact name and phone Vital interests – to protect life in emergency situations; Legitimate interests – duty of care and welfare checks during club activities
Essential club communications (ride cancellations, safety briefings, policy updates, important club notices) Name, email, phone number (if provided) Contract and Legitimate interests – necessary to deliver membership services and ensure member safety (see Section 6)
Marketing and partner offers Name, email Consent – you explicitly opt in via your account preferences
Processing payments and maintaining financial records Name, address, transaction details Contract and Legal obligation – to process purchases and comply with UK tax law
Handling complaints and disputes Name, email, correspondence Legitimate interests – to resolve complaints fairly
Recording waiver acceptance IP address, date and time of acceptance Legitimate interests – to maintain a verifiable record of waiver agreement
Understanding how members find us How you discovered the club, referral name Legitimate interests – to improve our outreach and understand which channels bring new members
Improving club operations Anonymised ride and membership data Legitimate interests – to improve our services

5. Emergency Contact and Welfare Access

During club rides, Club Officers and Ride Captains may need to access a member's phone number and emergency contact details (name and phone number). This is used for two purposes:

  • Emergencies: To call your emergency contact or emergency services if there is an accident or medical incident during a ride.
  • Welfare checks: To call you directly to check you are safe, for example if you become separated from the group during a ride or do not return to the meeting point.

Ride Captains act in an official role as ride organisers and have a duty of care to everyone on the ride.

No other personal information (such as your address, date of birth, or financial details) is shared through this system. Only your phone number and emergency contact details are accessible.

This access is protected by the following safeguards:

  • Identity check: The officer or Ride Captain must enter a one-time code sent to their email before any details are shown.
  • Logged: Every request is recorded – who asked, whose details were viewed, when, and whether access was granted.
  • Monitored: Access logs are reviewed regularly. Misuse is a serious breach of the Club Rules and may lead to disciplinary action or termination of membership.
  • Limited data: Only your phone number and emergency contact (name and phone) are shown. Nothing else.
  • No personal use: This information may only be used for safety and welfare during club activities. Using it for personal reasons is strictly prohibited.

The lawful basis for this is vital interests (GDPR Article 6(1)(d)) – protecting life in an emergency – and legitimate interests (GDPR Article 6(1)(f)) – our duty of care to members during club rides, including welfare checks.

6. Essential Club Communications

Surrey Cycling Club reserves the right to contact all members regardless of marketing preferences via email, WhatsApp, and SMS for essential club communications. These include but are not limited to:

  • Ride cancellations and schedule changes
  • Group Safety pre-ride briefings sent to all club members as a reminder, whether or not you are riding on that day
  • Safety information and urgent notices affecting member welfare
  • Policy updates and important changes to club rules or procedures
  • Membership-related notices such as renewal reminders and account updates

You cannot opt out of essential club communications. These messages are necessary for your safety and for the proper operation of the club. They are not marketing and are sent under our contractual obligation to you as a member and our legitimate interest in keeping all members informed and safe.

The lawful basis for essential communications is Contract (GDPR Article 6(1)(b)) – necessary to deliver membership services – and Legitimate interests (GDPR Article 6(1)(f)) – ensuring member safety and the orderly running of club activities.

7. Marketing and Partner Data Sharing

Note: Marketing communications are separate from essential club communications described in Section 6 above. You can opt out of marketing at any time, but you cannot opt out of essential safety and operational messages.

We offer members the option to receive exclusive discounts and deals from our partners. This is entirely voluntary.

  • You can opt in to allow Surrey Cycling Club to share your name and email with selected partners for the purpose of providing exclusive member offers.
  • You can opt out at any time through your account settings on our website.
  • We will never sell your data. Partner sharing only occurs when you have given explicit consent.
  • If you opt out, your data will no longer be shared with partners, though partners who already received your data may need to be contacted separately.

The lawful basis for marketing and partner data sharing is Consent (GDPR Article 6(1)(a)).

8. Third-Party Processors

We use the following third-party services to process data on our behalf:

Service Purpose Data Shared
Mollie Payment processing for memberships and shop purchases Name, email, transaction details
PayPal Alternative payment processing Name, email, transaction details
MailerSend Sending transactional and notification emails via API Name, email address
Meta (WhatsApp Business) Sending WhatsApp ride notifications Name, phone number
Xero Accounting and invoicing Name, address, financial transaction records
Plausible Analytics Privacy-friendly website analytics (no cookies, no personal data) Anonymised page view data only – no personal data is collected or shared

These processors act under our instructions and are bound by data processing agreements. No other third-party services have access to your personal data.

We use Plausible Analytics for basic website usage statistics. Plausible does not use cookies, does not collect personal data, and does not track visitors across websites. We do not use Google Analytics, Facebook Pixel, heatmaps, or any marketing or advertising trackers. Our PrestaShop backend operates without third-party tracking.

9. Data Retention

We retain your personal data only for as long as necessary for the purposes set out in this policy:

Category Retention Period
Active members Retained for the duration of your membership
Demo riders 6 months from the date of application. If you do not join the Club within 6 months, all submitted data is deleted
Lapsed members If membership is not renewed within 14 days of the due date, all personal data is deleted from our club systems
Financial and invoice records Retained for 6 years from the date of the transaction, as required by UK tax legislation (HMRC)
Ride history and submissions Retained for the duration of membership, then deleted with other member data
Emergency access audit logs Retained for 12 months for monitoring and accountability purposes

When data is deleted, it is permanently removed from our systems. We do not retain backups of deleted member data.

10. Data Security

We take appropriate technical and organisational measures to protect your personal data, including:

  • Data is stored on secure, privately managed servers operated by Surrey Cycling Club
  • Access to member data is restricted to authorised Club Officers and Ride Captains
  • Emergency contact access requires one-time code verification and is fully audit-logged
  • Our website uses HTTPS encryption for all data transmission
  • Database access is protected by authentication credentials

11. Your Rights

Under UK GDPR, you have the following rights:

  • Right of access: You can request a copy of the personal data we hold about you.
  • Right to rectification: You can ask us to correct inaccurate or incomplete data.
  • Right to erasure: You can ask us to delete your data, subject to legal retention requirements.
  • Right to restrict processing: You can ask us to limit how we use your data.
  • Right to data portability: You can request your data in a structured, commonly used format.
  • Right to object: You can object to processing based on legitimate interests.
  • Right to withdraw consent: Where we rely on consent (marketing and partner offers), you can withdraw it at any time. Please note that essential club communications (safety briefings, ride cancellations, policy updates) cannot be opted out of while you remain a member.

To exercise any of these rights, please contact us at report@surreycyclingclub.co.uk. We will respond within 30 days.

12. Complaints

If you are not satisfied with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Website: ico.org.uk
Helpline: 0303 123 1113

We encourage you to contact us first at report@surreycyclingclub.co.uk so we can try to resolve your concern directly.

13. Children's Data

Surrey Cycling Club is an adult-only cycling club. We do not knowingly collect personal data from anyone under the age of 18. If we become aware that we have collected data from a minor, we will delete it immediately.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make significant changes, we will notify members via email. The latest version will always be available on our website.

By continuing to take part in club rides and activities, you accept any updates to our policies. If you disagree with any changes, please contact us immediately at report@surreycyclingclub.co.uk and stop attending club-organised events and rides until your concerns are resolved.

15. Related Documents

This policy should be read in conjunction with:

Effective Date: 1st of April 2026
Last Updated: April 2, 2026
Approved by: Club Owner and Appointed Club Officers