Legal
Privacy & Cookies Policy
Last updated: 3 June 2026
1. Introduction
Vortex Martial Arts Academy LTD (“we”, “us”, “our”) is committed to protecting your personal data and being transparent about how we use it.
This policy explains what personal data we collect, why we collect it, who we share it with, how long we keep it, and what rights you have under the UK General Data Protection Regulation (UK GDPR) and the Privacy and Electronic Communications Regulations 2003 (PECR).
Data controller
- Company name: Vortex Martial Arts Academy LTD
- Registered address: 45 Dorrington Road, Lancaster, LA1 4TB
- Contact for data matters: andy@vortextkd.club
- ICO registration: ZB786642
2. What Data We Collect
Account and identity data
Name, email address, phone number, and postal address collected when you create a portal account or make an enquiry.
Children's data (minors under 18)
Where a trainee is under 18, we collect their first name, last name, and date of birth, along with the name and contact details of the responsible parent or guardian. This category is treated with additional care and is processed only with parental consent. See Section 5 for full details.
Trial enquiry data
Name, email address, phone number, the child's approximate age (if booking for a child), and the source of your enquiry (e.g. Google, Facebook, word of mouth) collected when you submit a trial booking form.
Payment data
Card payments are handled entirely by Stripe. Direct Debit mandates are handled entirely by GoCardless. We never receive, see, or store your card number or bank account details directly. What we do store is a payment reference ID (so we can match a payment to your account), the amount, the date, and the status of each transaction.
Membership and billing records
Your membership tier, number of classes per week, billing interval, payment dates, and membership history.
Attendance records
A log of which classes a member attended, the date, and how the attendance was covered (membership, credits, or trial).
Class bookings and credit balances
Trial bookings, grading bookings, credit pack purchases, and your current credit balance.
Grading records
Belt grade, grading history, and progression data where applicable.
Communications
We send transactional emails (booking confirmations, reminders, account notices) via Resend. We do not currently track whether you open or click these emails. If this changes, this policy will be updated and you will be notified.
Authentication data
Hashed passwords (never stored in plain text), session tokens, and security-related logs.
Technical data
Standard server logs collected automatically when you visit our website: IP address, browser type, device type, pages visited, and timestamps. These are used for security monitoring and infrastructure management. We do not currently run website analytics (no Google Analytics, no Vercel Analytics).
3. How We Get It
- Directly from you via our trial booking forms, portal sign-up, and any email or message you send us.
- From a parent or guardian on behalf of a child, when booking a trial or setting up a household account.
- From your bank via GoCardless, when you authorise a Direct Debit mandate. GoCardless sends us confirmation that the mandate is active and processes collections on our behalf.
4. Legal Basis (UK GDPR Article 6)
We only process personal data where we have a lawful basis for doing so. Here is the basis we rely on for each category:
Contract performance (Article 6(1)(b))
Processing that is necessary to deliver the service you signed up for: your member account, attendance records, bookings, payment processing, Direct Debit setup, and email confirmations.
Consent (Article 6(1)(a))
Marketing emails (only sent where you have opted in, with a clear unsubscribe in every email). Non-essential cookies, including the Meta Pixel when active (see Section 10).
Legitimate interests (Article 6(1)(f))
Following up with people who submitted a trial enquiry but did not book (we have a reasonable business interest in doing so, and you can opt out at any time). Maintaining account security and preventing fraud. Improving our service based on how members use it.
Legal obligation (Article 6(1)(c))
Keeping financial and tax records for 7 years as required by HMRC. Safeguarding records where applicable under statutory requirements.
5. Children's Data
We run martial arts classes for children aged 4 and upwards, so a significant portion of the personal data we hold relates to minors. We take this responsibility seriously.
Parental consent
All household accounts must be created by a parent or guardian aged 16 or over. Children's personal data is collected and processed only with the knowledge and consent of the responsible adult on the account.
Data collected on children
For each trainee under 18 we hold: first name, last name, date of birth, class attendance records, grade and progression records, and any bookings made on their behalf. We do not collect children's email addresses or phone numbers.
Parental rights
Parents and guardians may exercise all data rights (access, correction, erasure, portability) on behalf of their child. Contact us at andy@vortextkd.club. We will verify your relationship to the child before acting on any request.
Safeguarding
All instructors who work with children are DBS (Disclosure and Barring Service) checked and first-aid trained. We retain safeguarding records in line with statutory guidance.
Older teenagers (13-17)
A teenager aged 13 or over attending our adult beginner class (ages 13+) may, with the knowledge of a parent or guardian, manage their own account access. The responsible adult remains the account holder.
6. Who We Share Data With
We do not sell your personal data to anyone. We share data only with the processors below, each of whom is under a contractual obligation to handle it securely.
| Processor | Purpose | Location |
|---|---|---|
| Stripe | Card payment processing | US (SCCs) |
| GoCardless | Direct Debit mandate management and collection | UK |
| Resend | Transactional email delivery | US (SCCs) |
| Vercel | Website and API hosting | US (SCCs) |
| Supabase | Database and authentication | EU (eu-west-1) |
| Meta Platforms Ireland Ltd | Advertising pixel tracking (consent required) | EU/US (SCCs) |
| HMRC and other authorities | Legal/regulatory obligations only, on request | UK |
7. International Transfers
Where processors are based outside the UK or European Economic Area, transfers are safeguarded by one of the following mechanisms:
- Supabase (eu-west-1, Ireland): Within the EEA - no transfer mechanism needed.
- GoCardless: UK-based - no transfer.
- Vercel, Resend, Stripe: US-based. Transfers are made under the UK International Data Transfer Agreement (IDTA) or the UK Addendum to EU Standard Contractual Clauses, as appropriate.
- Meta Platforms Ireland: EU-based controller; US transfers under Standard Contractual Clauses where applicable.
8. How Long We Keep Data
| Data category | Retention period |
|---|---|
| Financial records (payments, invoices, membership billing) | 7 years from end of membership - HMRC requirement |
| Member account records (non-financial: attendance, grades, bookings) | For the duration of active membership, plus 2 years after the end of membership, after which the records are deleted. |
| Trial enquiries (not converted to membership) | 2 years from the date of enquiry, after which the records are deleted. |
| Marketing subscribers | Until unsubscribe or withdrawal of consent |
| Security and access logs | 90 days |
| Safeguarding records | In line with statutory guidance applicable to the specific record |
9. Your Rights
Under UK GDPR you have the following rights. These apply to your own data; parents or guardians may also exercise these rights on behalf of a child in their care.
Right of access (Subject Access Request)
You can ask us for a copy of the personal data we hold about you.
Right to rectification
If any data we hold about you is inaccurate or incomplete, you can ask us to correct it.
Right to erasure (“right to be forgotten”)
You can ask us to delete your personal data. We will comply unless we are required by law to keep it (for example, financial records kept for HMRC compliance).
Right to restriction of processing
You can ask us to pause processing your data in certain circumstances (for example, while you contest its accuracy).
Right to data portability
For data you provided to us and which we process by automated means on the basis of consent or contract, you can ask us to provide it in a machine-readable format.
Right to object
You can object to processing based on our legitimate interests. We will stop unless we can demonstrate compelling grounds that override your interests.
Right to withdraw consent
Where processing is based on your consent (marketing emails, optional cookies), you can withdraw consent at any time without affecting the lawfulness of processing before withdrawal. Use the unsubscribe link in any marketing email, or contact us directly.
Right to complain
If you are unhappy with how we have handled your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by phone on 0303 123 1113. We would appreciate the opportunity to address your concern first.
How to exercise your rights
Email andy@vortextkd.club with “Data Request” in the subject line. We will respond within one calendar month. We may ask you to verify your identity before acting on the request.
10. Cookies
Cookies are small text files stored on your device by your browser when you visit a website. We use them to keep you signed in to the member portal and, in future, to measure the effectiveness of our advertising.
Strictly necessary cookies
These are essential for the website to work and do not require your consent.
Marketing cookies
The Meta Pixel is planned for future use to help us understand whether our Facebook and Instagram adverts are reaching the right audience. It is not currently active. When it is enabled, we will ask for your consent via a cookie banner before placing any marketing cookies.
Analytics cookies
We do not currently run any website analytics tools (no Google Analytics, no Vercel Analytics). This section will be updated if that changes.
Cookie list
| Name | Provider | Purpose | Duration | Type |
|---|---|---|---|---|
| vortex_portal | Vortex Martial Arts Academy | Member portal authentication session | 30 days | Necessary |
| __vercel_* | Vercel | Infrastructure load balancing | Session | Necessary |
| _fbc, _fbp | Meta Platforms, Inc. (via Meta Pixel) | Facebook Click ID and Browser ID. Set by Meta Pixel to attribute conversions to specific ad clicks and improve match quality of conversion events. | 90 days | Marketing |
| vortex_first_touch, vortex_last_touch | Vortex Martial Arts Academy LTD (first-party) | First-party marketing attribution. Records the ad campaign and ad variant that brought you to the site, used internally to measure which campaigns are effective. | 90 days | Marketing |
Managing cookies
You can control cookies through your browser settings at any time. Note that disabling strictly necessary cookies will affect your ability to sign in to the member portal. When our cookie consent banner is live, you will be able to accept or decline non-essential cookies from there.
11. Updates to This Policy
We may update this policy from time to time. If we make a material change (for example, adding a new category of data processing or a new third-party processor), we will notify active members by email at least 14 days before the change takes effect.
The “Last updated” date at the top of this page shows when this version was published.
12. Contact
- Data controller: Vortex Martial Arts Academy LTD
- Email: andy@vortextkd.club
- ICO (for complaints): ico.org.uk/make-a-complaint or 0303 123 1113