Privacy Policy

1. Introduction

Head Count ("we", "our", "us") is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and share your information when you use the Head Count web application and related services (the "Service").

Head Count is the data controller for personal data processed through the Service. We process your data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

If you have any questions about this Privacy Policy, please contact us at support@head-count.app.

2. What Data We Collect

We collect and process the following categories of personal data:

Account information

• Full name
• Email address
• Phone number
• Password (stored securely hashed)

Medical and safety information

• Allergies
• Medical conditions
• Medications

Emergency contact information

• Emergency contact name, phone number, and relationship
• Next of kin details

Payment information

• Payment card details (processed and stored securely by Stripe; we do not store your full card number)
• Billing history and subscription status

Technical data

• IP address, browser type, and device information
• Usage data such as pages visited and features used

3. Lawful Basis for Processing

We process your personal data on the following legal bases under the UK GDPR:

• Contract (Article 6(1)(b)): Processing your account data, event registrations, and payment information is necessary to provide the Service to you.
• Legitimate interests (Article 6(1)(f)): Processing medical and emergency contact information is necessary for the legitimate interests of event safety and participant welfare. Event organisers have a duty of care to participants, and access to this information during events is essential for managing emergencies.
• Legal obligation (Article 6(1)(c)): We may process data where required to comply with applicable laws, such as financial record-keeping obligations.
• Consent (Article 6(1)(a)): Where we send marketing communications, we will obtain your consent first. You can withdraw consent at any time.

Special category data

Medical information (allergies, conditions, medications) constitutes special category data under Article 9 of the UK GDPR. We process this data under Article 9(2)(a) — you provide explicit consent when submitting your medical information through the Service. You may withdraw this consent at any time by deleting your medical information from your profile.

4. How We Use Your Data

We use your personal data to:

• Create and manage your account
• Process event registrations and manage participant lists
• Provide event organisers and leaders with safety-critical information during events
• Process payments and manage subscriptions
• Send event-related notifications and reminders
• Respond to your support requests
• Improve the Service and fix issues

5. Data Storage and Security

We take the security of your data seriously. Your data is stored in a PostgreSQL database hosted by Supabase with the following protections:

• Encryption at rest: All data is encrypted when stored on disk.
• Encryption in transit: All data is transmitted over TLS (HTTPS) connections.
• Row-level security: Database access controls ensure users can only access data they are authorised to see.
• Authentication: Secure session-based authentication with automatic token refresh.
• CSRF protection: All forms are protected against cross-site request forgery attacks.

6. Data Retention

We retain your personal data for as long as necessary to provide the Service and fulfil the purposes described in this policy:

• Account data: Retained while your account is active. If you delete your account, it enters a 30-day grace period during which you can reactivate. After 30 days, your data is permanently deleted.
• Event registration data: Retained for the duration of the event and 12 months afterward for safety record-keeping.
• Payment records: Retained for 7 years to comply with financial record-keeping obligations under UK law.
• Technical logs: Retained for up to 90 days for debugging and security purposes.

7. International Data Transfers

Your data may be transferred to and processed in countries outside the United Kingdom. We use the following third-party services which may store data internationally:

• Supabase (database hosting) — data is stored on AWS infrastructure. Transfers are protected by Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework.
• Stripe (payment processing) — processes payment data in accordance with PCI DSS standards. Stripe is certified under the EU-US Data Privacy Framework.
• Resend (email delivery) — processes email addresses for transactional emails. Transfers are protected by SCCs.
• Google (OAuth authentication) — if you sign in with Google, your Google account identifier is processed. Google is certified under the EU-US Data Privacy Framework.

Where data is transferred outside the UK, we ensure appropriate safeguards are in place as required by Chapter V of the UK GDPR.

8. Your Rights

Under the UK GDPR, you have the following rights regarding your personal data:

• Right of access: You can request a copy of the personal data we hold about you.
• Right to rectification: You can update or correct your personal data at any time through your profile settings.
• Right to erasure: You can request deletion of your personal data by deleting your account in settings.
• Right to data portability: You can request an export of your data in a machine-readable format.
• Right to restrict processing: You can request that we limit how we use your data in certain circumstances.
• Right to object: You can object to our processing of your data where we rely on legitimate interests.
• Right to withdraw consent: Where we process data based on your consent, you can withdraw it at any time.

To exercise any of these rights, please contact us at support@head-count.app. We will respond to your request within one month.

9. Cookies

We use strictly necessary cookies to operate the Service. These cookies are essential for authentication and security, and the Service cannot function without them:

• Session cookies: Used to maintain your authenticated session (access token and refresh token). These are HTTP-only and secure cookies.
• Dark mode preference: Stored in your browser's local storage (not a cookie) to remember your display preference.

We do not use analytics cookies, advertising cookies, or any third-party tracking cookies.

10. Third-Party Services

We use the following third-party services to provide and improve the Service:

• Supabase: Database hosting, authentication, and row-level security. Supabase Privacy Policy.
• Stripe: Payment processing for subscriptions. Stripe Privacy Policy.
• Resend: Transactional email delivery for notifications and invitations. Resend Privacy Policy.
• Google: Optional OAuth sign-in. Google Privacy Policy.
• Render: Application hosting. Render Privacy Policy.

11. Children's Data and Parental Consent

Account holders must be at least 18 years old. Children (under 18) cannot create accounts directly. Instead, a parent or guardian registers minors as "dependants" under their own account.

What data we collect for minors

• Full name
• Date of birth (used to calculate age at event time; the date of birth itself is not displayed to event organisers)
• Medical information (allergies, medications, medical conditions) -- provided optionally by the parent/guardian
• Emergency contact details
• Relationship of the guardian to the child

Parental consent

Before any data is collected for a minor, the parent or guardian must explicitly confirm their consent via a mandatory checkbox when adding a dependant. The consent statement reads: "I confirm I am the parent/guardian of this child and consent to their information being shared with the event organiser and leaders for safety purposes."

Data retention for minors

Minor data is tied to the parent/guardian's account. When the guardian deletes their account, all dependant data (including medical information, emergency contacts, and event registrations) is also deleted. Guardians can delete individual dependant records at any time from their profile.

Account requirement for minors

Registering a minor for an event requires the parent or guardian to have an account. Guest participants (without an account) cannot register minors. This ensures that parental consent is properly recorded and that guardians can manage their dependant's data at any time.

If you believe data has been collected for a minor without proper parental consent, please contact us immediately at support@head-count.app and we will take steps to investigate and delete the data if appropriate.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on the Service and updating the "Last updated" date. Where changes are significant, we will notify you by email. Your continued use of the Service after changes take effect constitutes your acceptance of the revised policy.

13. How to Complain

If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's supervisory authority for data protection:

• Website: ico.org.uk/make-a-complaint
• Telephone: 0303 123 1113

We would appreciate the opportunity to address your concerns before you contact the ICO, so please reach out to us first.

14. Contact Us

If you have any questions about this Privacy Policy or how we handle your data, please contact us at support@head-count.app.