GDPR Compliance Statement

1. Overview

Data Controller: Hale Technology Limited ("Pitch It", "we", "us")
Registered in: England and Wales
ICO Registration: [Registration number — register at ico.org.uk before going live]
Contact: dpo@pitch-it.uk

As a Data Controller, we determine the purposes and means of processing personal data. Site Owners who process guest data on our platform act as independent Data Controllers in respect of their guests, and as Data Processors in respect of data handled through Pitch It's systems on their behalf.

2. Lawful Basis for Processing

We identify and document a lawful basis before processing any personal data:

• Article 6(1)(b) — Contract: processing necessary to perform the booking contract (account management, booking processing, payments)
• Article 6(1)(c) — Legal obligation: processing required by law (HMRC record-keeping, fraud reporting, court orders)
• Article 6(1)(f) — Legitimate interests: fraud prevention, platform security, service improvement, internal analytics — subject to a documented balancing test
• Article 6(1)(a) — Consent: marketing communications, non-essential cookies, precise location tracking

We do not process special category data (Article 9) except where a user voluntarily discloses accessibility requirements, in which case we rely on Article 9(2)(a) (explicit consent).

3. Categories of Personal Data

• Identity data: name, username, date of birth (age verification)
• Contact data: email address, phone number, postal address
• Financial data: billing address, last 4 digits of card (full card data processed by Stripe, not stored by us)
• Transaction data: booking history, payment amounts, cancellations
• Technical data: IP address, browser, device, cookies
• Usage data: pages viewed, search terms, clicks, session data
• Profile data: preferences, reviews, saved locations
• Communications data: messages, support tickets

4. Data Subject Rights

We have documented procedures for handling all eight UK GDPR data subject rights. Our standard response time is 30 days from receipt of a valid request (extendable by 60 days for complex requests with notice).

Right of Access (Article 15)

Submit a Subject Access Request (SAR) to dpo@pitch-it.uk or via your account dashboard. We will provide a structured data export at no charge. We may request proof of identity.

Right to Rectification (Article 16)

You can update most personal data directly in your account settings. For data you cannot update yourself, contact us and we will correct inaccuracies within 30 days.

Right to Erasure (Article 17)

You may request deletion of your data. We will comply unless retention is required by law (e.g. financial records under HMRC requirements), or where we have overriding legitimate interests (e.g. fraud prevention).

Right to Restriction (Article 18)

You may request restriction of processing in certain circumstances — for example, while we verify accuracy of disputed data.

Right to Data Portability (Article 20)

Where processing is based on consent or contract, you may request your data in a structured, machine-readable format (JSON or CSV).

Right to Object (Article 21)

You may object to processing based on legitimate interests at any time. We will cease processing unless we can demonstrate compelling legitimate grounds. You have an absolute right to object to direct marketing.

Rights Related to Automated Decision-Making (Article 22)

We do not make solely automated decisions with legal or similarly significant effects. Our fraud detection flags accounts for human review.

5. Data Protection Impact Assessments

We conduct DPIAs before introducing new processing activities or technologies that are likely to result in a high risk to individuals' rights and freedoms, including:

• New features involving location tracking
• Integration of third-party analytics or advertising tools
• Any processing of special category data
• Large-scale profiling of users

6. Data Processors and Sub-Processors

We engage the following categories of Data Processors, all bound by written Data Processing Agreements:

• Cloud hosting: servers in the UK or EEA
• Payment processing: Stripe Inc. (certified PCI-DSS Level 1)
• Email delivery: transactional email provider
• Analytics: Google Analytics (data anonymised, IP truncated)
• Customer support: support ticketing platform

A full list of sub-processors is available on request. We notify users of material changes to our sub-processor list.

7. International Data Transfers

Where we transfer personal data outside the UK, we ensure appropriate safeguards are in place:

• Transfers to countries with UK adequacy decisions require no further safeguards
• Transfers to other countries are covered by UK International Data Transfer Agreements (IDTAs) or Standard Contractual Clauses (SCCs) with a UK Addendum
• Google Analytics data is subject to additional anonymisation before any transfer

8. Data Breach Procedure

We maintain a data breach response plan. In the event of a personal data breach:

• We will assess the risk to individuals within 24 hours of becoming aware
• Breaches likely to result in a risk to individuals' rights and freedoms will be reported to the ICO within 72 hours
• Affected individuals will be notified without undue delay where the breach poses a high risk to them
• All breaches are logged internally regardless of severity

To report a suspected security issue: security@pitch-it.uk

9. Data Protection Officer

As an SME, Pitch It is not currently required to appoint a formal DPO under UK GDPR Article 37. We have designated a Data Protection Lead responsible for overseeing compliance. Contact: dpo@pitch-it.uk

10. Children's Data

Our platform is not directed at children under 13. We do not knowingly collect personal data from children under 13. If we become aware that a child under 13 has provided us with personal data, we will delete it promptly. If you believe we may have collected data from a child, contact us immediately.

11. Site Owners and GDPR

When you use Pitch It as a Site Owner, you become an independent Data Controller for the personal data of your guests. You are responsible for:

• Having a lawful basis for processing guest data you receive through Pitch It
• Providing guests with your own privacy notice
• Handling Subject Access Requests and other data subject rights requests in respect of data you control
• Not retaining guest data beyond the purposes for which it was shared
• Complying with all applicable data protection laws in your jurisdiction

Our Site Owner Agreement includes Data Processing provisions reflecting our respective roles. By accepting the Site Owner Agreement you confirm your compliance with UK GDPR.

12. Contact and Complaints

You have the right to lodge a complaint with the UK supervisory authority: