About us

In this Privacy Policy, we use the term “Rugby AM” (and “we”, “us” and “our”) to refer to Rugby AM Ltd and Rugby AM CIC. Full details about Rugby AM Ltd and Rugby AM CIC are provided in the “Legal notice” section below.

 

Introduction

Rugby AM (hereafter referred to as “Rugby AM”, “we”, “us” and “our”), is the data controller for the personal information we process. We recognise that your privacy is important and consequently we are committed to protecting it. This Privacy Policy explains what personal information we process about you when you:

  • purchase our products such as tickets and merchandise;
  • register for free services such as membership;
  • use our web site;
  • communicate with us by email, telephone or on social media;
  • subscribe to our direct marketing communications;
  • interact with us as a representative of our suppliers or partners.

 

Other websites

Our websites and digital platforms may contain links to other websites which are outside our control and are not covered by this Privacy Policy. If you access other sites using the links provided, the operators of these sites may collect information from you which will be used by them in accordance with their privacy policy, which may differ from ours.

This includes but is not exclusive to the online ticket sales platform, online merchandise store and coaching camps.

 

How to contact us about this Privacy Policy

We have a dedicated Data Protection Officer (DPO) who you can contact if you have questions about this Privacy Policy or about your personal data in general. Please write to:

Data Protection Officer
Rugby AM

Unit 22 Holly Park Mills

Woodhall Road

Calverley

Leeds

LS28 5QS

 

Alternatively email: contact@rugbyam.co.uk

 

Personal information we process and what we use it for 

Rugby AM will only process your personal information for the purposes outlined in the following sections. If these purposes change over time or we want to use data for a new purpose which we did not originally anticipate, we will only go ahead if the new purpose is closely related to the original purpose. If the new purpose is incompatible with the original purpose, we will seek your specific consent for the new purpose; or if a clear legal provision exists requiring or allowing the new processing in the public interest, we will inform you accordingly.

 

Visitors to our website

 

You can access and browse our websites without the need for you to actively provide us with your personal data. However, you will need to register a user account in order to purchase tickets, merchandise or coaching courses plus we may restrict access to chosen content to be only available to those who have registered for a free membership (see “Registering on our websites” for more information).

When you visit our websites we automatically collect information about your device and about your visit. This helps us to better understand how you use our digital platforms and enables us to design our site to better suit your needs whilst also creating better, more personalised content which improves your experience for future visits. The information we collect includes:

  • how you have reached our digital platform, the internet protocol (IP) address you have used, and the MAC address of your device
  • your operating system, browser type, versions and plug-ins
  • your journey through our digital platform, including which links you click on and any searches you made, how long you stayed on a page, and other page interaction information
  • photos you share with us
  • videos you have watched and the duration
  • offers you have redeemed
  • what content you like or share
  • which adverts you saw and responded to
  • which pop up or push messages you might have seen and responded to
  • your current subscription status
  • information collected in any forms you complete
  • location based services

 

We may also infer your country of location from the IP address you have used to access our digital platforms.

 

Cookies

Some of this information is collected by cookies which are small text files that store basic information that a website can use to track on-line traffic flows, recognise repeat site visits and record information about your on-line preferences. They often include an anonymous unique identifier that is sent to your browser from our websites, which is then stored on your computer’s hard drive. Cookies do not attach to your system and damage your files but observe user behaviour and compile aggregate data that we then use to improve web services. We also use cookies to measure the effectiveness of advertising.

For further, more detailed information on how we use cookies, please refer to our Cookie Policy.

The legal basis we rely on to process your personal data is article 6(1)(f) of the GDPR, which allows us to process personal data when its necessary for the purposes of our legitimate interests. The only exception to this is the placement of non-essential cookies on your devices where we rely on article 6(1)(f) of the GDPR which requires us to obtain your consent.

 

Registering a user account on our websites

 

To access the areas of our websites where you can purchase event tickets, memberships and coaching courses you will need to register with us. During the registration process you will be asked to submit personal information including:

  • title and name,
  • date of birth,
  • gender,
  • delivery address,
  • email address,
  • account password,
  • contact number
  • contact preferences.

We use this information to provide you with a secure, identifiable user account, to ensure we provide you with age appropriate content, and to fulfil and communicate with you about your purchases.

Where we use this information to provide you with a secure, identifiable user account,

the legal basis we rely is article 6(1)(f) of the GDPR, which allows us to process personal data for our legitimate interests.

Where we use this information to ensure we provide you with age appropriate content when you are logged on, the legal basis we rely is article 6(1)(c) of the GDPR, which allows us to process personal data to meet our legal obligations.

Where we use this information to fulfil or communicate with you about any purchases you have made. The legal basis we rely on to process this data is article 6(1)(b) of the GDPR, which allows us to process personal data where the processing is necessary for the performance of a contract to which the data subject is party (see Purchase our Products and Services for more information).

We may also send you information about our latest news, competitions, ticket and merchandise updates and offers and those of our partners. The legal basis we rely on for this activity is article 6(1)(a) of the GDPR, which requires us to obtain your consent (see Direct Marketing for more information).

 

Purchasing our products or services

We need to process your personal data in order to provide you with the products and services you purchase from us. If you have already registered an account, then we will use the information you provided during the registration process to deliver and communicate with you about your purchase. In addition to this, we will need to collect your payment card details in order to process payment

The legal basis we rely on to process this data is article 6(1)(b) of the GDPR, which allows us to process personal data where the processing is necessary for the performance of a contract to which the data subject is party.

Depending on the service or product you have purchased, we may also need to collect additional information such as:

  • details of any disability or access requirement when you purchase a ticket for an event or service which will take place at the stadium or any of our other locations. This enables us to make reasonable adjustments to make your visit safe and comfortable and compliant with the Equality Act 2010. The legal bases we rely on for this are article 6(1)(c) of the GDPR which allows us to process information to meet a legal obligation and article 9(2)(b) as the processing is necessary for the purposes of carrying out our obligations in the field of social security and social protection law.
  • details about any medical conditions you may have when you enrol in one of our coaching courses. We have a duty of care for all participants that enrol in our coaching courses. Processing this information enables us to administer appropriate first aid in the event that participants are injured or taken ill whilst on our premises. The legal bases we rely on are article 6(1)(a) and 9(2)(a) which require us to obtain your explicit consent.
  • details about your vehicle where the product or service you have purchased entitles you to a parking space. The legal basis we rely on to process this data is article 6(1)(b) of the GDPR, which allows us to process personal data where the processing is necessary for the performance of a contract to which the data subject is party.

 

Fraud screening and prevention

Sometimes where there is suspicion of illegal activity such as fraud, we will ask you to provide a copy of an identity document such as a passport. This is usually only necessary for overseas customers and some UK customers where the value of the purchase exceeds a threshold or where the delivery address is different to the card address.

In addition, we may keep the personal information of individuals suspected of suspicious purchasing. This information may be shared with other clubs and local law enforcement agencies as we attempt to protect the public against seriously improper conduct.

We also requested copies of identity documents for ticket holder name changes i.e. maiden to marital surname, to verify the name change and ultimately to prevent tickets being reallocated to different people.

When we have completed the check process, we delete the copies.

The legal basis we rely on to process this data is article 6(1)(f) of the GDPR, which allows us to process personal data for our legitimate interests. In this case our legitimate interests are protecting us and our customers against fraud.

 

 

Direct marketing and market research

When you register your user account on our website we ask you to set your contact preferences for marketing and market research communications from us and our partners. These settings are opted out by default meaning that we and our partners will only send you such communications where you actively opt-in.

We also include the option to opt in to marketing and market research communications on some of our online forms i.e. competitions and quizzes. Again, we will only ever send you these communications if you opt-in.

If you do opt-in and you later change your mind, we provide an unsubscribe link at the bottom of every marketing communication. You can also object to marketing communications by contacting our Data Protection Officer.

The legal basis we rely on to process this data is article 6(1)(a) of the GDPR, which allows us to process personal data with your consent.

 

Competitions, voting, and quizzes

From time to time we will run competitions, votes and quizzes. When you take part in these activities we will ask you for some basic personal information to enable us to administer the competition, vote or quiz. This will usually consist of your name, email address and phone which we will need in order to contact you if you win. We will also ask for your date of birth to verify age to ensure that where a competition is age restricted, only those eligible will be entered. Should an individual enter details that make them ineligible, all details will be destroyed.

As stated in the Direct Marketing section, we will not use this information to send you marketing communications unless you opt-in.

The legal basis we rely on to process this data is article 6(1)(f) of the GDPR, which allows us to process personal data when its necessary for the purposes of our legitimate interests.

 

Making an enquiry or complaint

When you contact us to make an enquiry or complaint, we collect personal information such as your email address so that we can respond to you.

We may monitor or record telephone calls for security purposes and to improve the quality of services that we provide to you.

We record details of all enquiries or complaints on our systems and share them with the areas of the business that are best placed to address them.

The legal basis we rely on to process this data is article 6(1)(f) of the GDPR, which allows us to process personal data when its necessary for the purposes of our legitimate interests. In this case our legitimate interests are dealing with the enquiry or complaint and any subsequent issues that may arise, and to check on the level of service we provide.

 

Interacting with us as a representative of our suppliers or partners.

Rugby AM operates with a broad portfolio of suppliers and commercial partners. Our staff will process details of our suppliers’ or partners’ nominated business contacts in order to manage these business relationships. This includes information such as names, job titles and contact details.

In the case of deliveries to the office, we may ask our suppliers to provide the name of their delivery drivers. We use this information to verify delivery drivers when they attend the Stadium.

The purpose for processing this information is for security and safety reasons. The legal basis we rely on to process your personal data is article 6(1)(f) of the GDPR, which allows us to process personal data when its necessary for the purposes of our legitimate interests.

 

Applying for a job

When you apply for a job with us, we collect and process a range of personal data in order to assess your suitability for employment. You are under no statutory or contractual obligation to provide data to us during the recruitment process. However, if you do not provide the information, we may not be able to process your application properly or at all.

We ask for:

  • personal details including name and contact details
  • details of your qualifications, skills, experience and employment history;
  • information about your current level of remuneration, including benefit entitlements;

The legal basis we rely on for processing your personal data is article 6(1)(b) of the GDPR, which relates to processing necessary to perform a contract or to take steps at your request, before entering a contract.

We will also ask whether or not you have a disability for which the organisation needs to make reasonable adjustments during the recruitment process. The legal bases we rely on for this are article 6(1)(c) of the GDPR which allows us to process information to meet a legal obligation and article 9(2)(b) as the processing is necessary for the purposes of carrying out our obligations in the field of social security and social protection law.

You will also be asked to provide equal opportunities information including information about your ethnic origin, sexual orientation, health, and religion or belief. This is not mandatory – if you don’t provide it, it won’t affect your application. This is done for the purposes of equal opportunities monitoring only and we won’t make the information available to any staff outside our recruitment team, including hiring managers, in a way that can identify you. The legal bases we rely on are article 6(1)(a) and 9(2)(b) which require your explicit consent.

In some cases, we need to process data to ensure that we are complying with our legal obligations. For example, it is required to check a successful applicant’s eligibility to work in the UK before employment starts. It these situations the legal basis we rely on is article 6(1)(c) of the GDPR which allows us to process information to meet a legal obligation

When we make a job offer we will also seek information from third parties, such as references supplied by former employers and information from employment background check providers. For some roles, we are legally obliged by safeguarding legislation to conduct criminal records checks. This usually applies to roles that involve working with minors. The legal basis we basis we rely on is article 6(1)(c) of the GDPR which allows us to process information to meet a legal obligation.

Sharing your information

Your information will be shared internally for the purposes of the recruitment exercise. This includes members of the HR team, interviewers involved in the recruitment process, managers in the business area with a vacancy and IT staff if access to the data is necessary for the performance of their roles.

We will not share your data with third parties, unless your application for employment is successful and we make you an offer of employment. The organisation will then share your data with former employers to obtain references for you, employment background check providers to obtain necessary background checks and the Disclosure and Barring Service to obtain necessary criminal records checks.

Keeping your information

If you are unsuccessful after assessment for the role, we will hold your data on file for 6 months after the end of the relevant recruitment process. At this point your data will be deleted unless you have told us that you would like your details retained in our talent pool. If this is the case, then we would proactively contact you should any further suitable vacancies arise.

If your application for employment is successful, personal data gathered during the recruitment process will be transferred to your personnel file and retained during your employment. The periods for which your data will be held will be provided to you in a new privacy notice.

 

Responding to requests to exercise your data subject rights

When you contact us to exercise your data subject rights (see “Your Rights” for more information) we will ask you for some information so that we can confirm your identity and ensure that we action your request against the right account. This will usually be your full name and email address, We do not store this information – we just use it to confirm your identity.

We maintain a record of all the data subject rights requests that we receive. If you do make a request, this record will capture your name and a differential piece of data such as your email address or date of birth. We keep this record to evidence our compliance with data protection legislation and as a record of our activities in case we are challenged.

The legal basis we rely on to process this data is article 6(1)(f) of the GDPR, which allows us to process personal data when its necessary for the purposes of our legitimate interests.

 

Children

If you are under 16

If you are under 16 and register for restricted areas of our digital platforms, we will collect your date of birth and retain that with your name and other details you may provide. This is so we can ensure we treat you in an age appropriate way in line with this policy.

If you have signed up to receive a product or service, we may contact you about this.

 

Ages 13-15

If you are aged 13-15, you must first tell your parent or legal guardian that you wish to register on our digital platforms and get their consent. You must make sure that your parent or legal guardian knows and agrees each time before you:

  • email us or ask us to email anything to you;
  • send any information to us;
  • enter any competition or game that requires information about you or offers a prize;
  • register for a membership; or
  • offer or agree to buy anything online.

If you are the parent or legal guardian of a user of our digital platforms who is aged 13 to 15 we do not seek your direct consent to their registration, but we expect them to inform you and get your agreement in advance before they register and before each time they do any of the activities listed above.

Aged under 13

If you are under 13, you may only use the restricted areas of our digital platforms if your parent or legal guardian has first told us that you are allowed to do so.

If you are under 13 and wish to register, you must truthfully tell us your name, email address, country and date of birth. We will then ask you for the name and email address of your parent or legal guardian. We will send them an email, so they are aware of your request and will ask them for their consent and to confirm they have authority to give that consent. We need their consent or refusal within 7 days, or else we will assume consent is not granted. Their consent can be withdrawn at any stage.

Even if your parent or legal guardian gives their consent to your registration, if you are under 13 we still expect you to tell them and get their agreement in advance each time before you:

  • email us or ask us to email anything to you;
  • send any information to us;
  • enter any competition or game that requires information about you or offers a prize;
  • purchase an official membership; or
  • offer or agree to buy anything online.

If you are the parent or legal guardian of a user of our digital platforms who is under 13, they can access and use unrestricted areas, but we will need your direct consent if they wish to gain access to restricted areas.

 

Automated Decision-making and profiling

Automated decisions mean that a decision concerning you is made automatically on the basis of a computer determination (using software algorithms), without human review.

The only time we conduct any form of automated-decision making based on profiling is when you visit our websites. We use third party software to analyse the way you use our websites in order to provide you with a more personalised experience next time you visit our websites. For example, we may analyse the products you buy from our shop or the types of web pages you look at the most. Next time you visit our website we will then tailor the content we provide you based on those preferences. We might also suggest other products or services you might be interested in.

These activities are fully automated and you can turn them off by disabling our website’s cookies in your web browser. Our Cookie Policy explains how to do this.

We do not conduct any other forms of automated-decision making particularly anything that could have a legal or similarly significant effect on you. If this changes over time, we will seek your explicit consent and update this privacy notice accordingly.

 

Sharing your information

Rugby AM shares your personal data internally and with selected third-parties in the following circumstances:

Third party service providers.

In order to provide our products and services to you or to otherwise fulfil contractual arrangements that we have with you, we may need to appoint data processors to carry out some of the data processing activities on our behalf. These may include, for example, payment processing organisations, delivery organisations, fraud prevention and screening and credit risk management companies, mailing houses and IT system providers. We have contracts in place with our data processors which means that they cannot do anything with your personal information unless we have instructed them. They will not share your personal information with any other organisations and will hold it securely and retain it for the period we instruct.

 

Commercial Partners

We may also share personal data, such as your name and contact details, with our commercial partners but only where you have explicitly consented to this or requested that we do so. For example, when you enter a competition which is a joint promotion, or you request to receive certain marketing communications. In any case, we will provide you with clear information before we share your personal data.

Publicity and media

We may disclose your personal data publicly via the media or social media. For example, when sharing a comment or opinion you have provided or if you win a competition or promotion we may disclose your name online. In such cases, we will clearly notify you of the sharing and you will have the choice not to participate or to otherwise object to such sharing, subject to our other legal obligations.

Legal and other

We may also share your data with third parties:

  • if we are under a legal or regulatory duty to do so
  • if it is necessary to do so to enforce our terms and conditions of sale or other contractual rights
  • to lawfully assist the police or security services with the prevention and detection of crime or terrorist activity
  • where such disclosure is necessary to protect the safety or security of any persons
  • and/or (e) otherwise as permitted under applicable law.

 

International data transfers

We are based in the UK but sometimes your personal information may be transferred outside of the European Economic Area (EEA). For example, some of our third-party suppliers or commercial partners to which we disclose your personal data may be situated outside of the EEA. Where we do transfer your personal data outside of the EEA, we make sure that we put one of the EU’s approved suitable safeguards in place, for example using approved contractual agreements or by obtaining your explicit consent for the transfer.

 

Security

Protecting your personal information is very important to us and as such we have put a range of security defences in place in order to ensure it.

This includes:

  • Technical measures such as encryption when we send your data over the internet, anti-virus software, secure user accounts on our systems that restrict access to your personal information, regular data back-ups, and conducting security testing of our systems.
  • Physical security measures that ensure that physical access to your data, whether it is in electronic or hard copy form, is also restricted and controlled.
  • Personnel security measures such as contractual clauses in employment contracts that require our employees to protect the confidentiality of your data, and regular awareness training about data protection and information security.

Some of our IT systems are provided by third party suppliers. In these cases the security of your data is a shared responsibility and we have contracts in place which outline each party’s responsibilities for the security of data.

 

Keeping your information

We retain your personal information for the minimum reasonable time period to allow us to fulfil the purposes that we collected it for. We will delete or destroy your data after that time except where we need to keep any personal information to comply with our legal obligations, resolve ongoing disputes or defend ourselves against future legal claims, or enforce our agreements.

Occasionally, we may continue to use data without further notice to you. This will only be the case where any such data is anonymised and you cannot be identified as being associated with that data.

Please contact contact@rugbyam.co.uk for further information about our retention periods.

 

Your Rights

You have certain rights in relation to your personal information. In order to exercise any of the following rights please contact the DPO using the details above.

Right of access: You have the right to access the data that we hold on you. We provide you with access to as much of your personal information as possible via your account on our website, however, if you require access to other information, you should make a subject access request in writing.

Right to rectification: You can request that we update any of your personal information, which is out of date or incorrect. We may not always be able to change or remove that information but we’ll correct factual inaccuracies and may include your comments in the record to show that you disagree with it. Please note that you are able to correct basic personal information on the HR and recruitment systems and it is your responsibility to ensure the data is up to date.

Right to erasure: In some circumstances you can ask for your personal information to be deleted. You should be aware however that this is not an absolute right and there are situations where legally, we will not be able to comply with your request. If we cannot comply with your request, we will clearly explain our reasons.

Right to object: You can object to our processing of your personal information where we do so in our legitimate interests or in the public interests. If you do object, you should provide specific reasons why you are objecting to the processing of your data. You should be aware that this is not an absolute right, and we can continue processing if we can demonstrate compelling legitimate grounds for the processing or if the processing is for the establishment, exercise or defence of legal claims. If we cannot comply with your request, we will clearly explain our reasons.

Right to restrict processing” In some circumstances, you have the right to ask us to restrict the processing of your personal data. This may be because you have issues with the content or accuracy of the information we hold and want us to restrict processing whilst these issues are addressed. Alternatively it could be because you have objected to our processing of your data for the purposes of our legitimate interests, and you want us to restrict processing whilst we considering our response. Where we comply with these requests, we will always inform you before lifting the restriction.

Consent withdrawal: Where you have given clear consent for us to process your personal data for a specific purpose, you have the right to withdraw your consent at any time. Please note that we do not rely on consent for the majority of employee personal information we process.

 

Changes to this policy

As Rugby AM changes, this Privacy Policy is expected to change as well. We reserve the right to amend this Privacy Policy at any time, for any reason, without notice to you, other than the posting of the amended Privacy Policy on our websites. We may email periodic reminders of this Privacy Policy and will email relevant data subjects to notify them of any material changes. You should check our website frequently to see the current Privacy Policy that is in effect and any changes that may have been made to it.

 

More information & Complaints

Should you have any questions regarding this Privacy Policy or if you wish to make a complaint about how we process your personal information, please contact contact@rugbyam.co.uk or Rugby AM, Unit 22 Holly Park Mills, Woodhall Road, Calverley, LS28 5AX.

You are also able to make a complaint to the Information Commissioner’s Office (ICO) if you think your data protection rights have been breached in any way by us. You can do this by contacting the ICO at:

Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

Tel: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number.

Alternatively, visit the ICO website or email casework@ico.org.uk.