Privacy Policy
Effective Date: 28th February 2026 Last Updated: 28th February 2026
1. Who We Are
This Platform is operated by: Tableized Limited
Tableized Limited
Registered in the United Kingdom
Company Number: 12822719
Email: privacy@tableized.com
For the purposes of UK GDPR and EU GDPR:
- We act as a Data Controller in relation to user accounts, platform administration, security, billing, SMS communications and emergency contact storage.
- We act as a Data Processor (or Sub-Processor) when processing event entry data on behalf of race organisers (“Organisers”).
Organisers using the Platform are generally independent Data Controllers in respect of the events they manage.
2. Scope of This Policy
This policy applies to:
- Registered users
- Competitors entered into events
- Organiser officials
- Website visitors
3. Categories of Personal Data We Process
3.1 Account & Profile Data
- Name
- Email address
- Mobile telephone number
- Postal address (if provided)
- Login credentials (securely encrypted)
3.2 Emergency Contact Data (Stored at Account Level)
Users may store emergency contact details in their account to enable prefilling of race entry forms and to assist Organisers in safeguarding participants.
This may include:
- Emergency contact name
- Relationship to participant
- Telephone number(s)
We do not use emergency contact details for marketing or SMS campaigns.
3.3 Event Entry Data
- Competitor name
- Date of birth or age category
- Gender
- Club affiliation
- Ranking or handicap
- Governing body membership details
- Emergency contact details (if required for a specific event)
3.4 Payment Data
Payments are processed by:
- Stripe Payments Europe, Ltd.
- PayPal (Europe) S.à r.l. et Cie, S.C.A.
- SumUp Payments Limited
We do not store full payment card details. Payment providers act as independent Data Controllers.
3.5 Race Results Data
- Finishing times
- Positions
- Rankings
- Category results
3.6 Technical & Security Data
- IP address
- Device and browser information
- Login timestamps
- Audit logs
- Usage data
4. How We Collect Data
We collect data:
- Directly from users during registration or event entry
- From Organisers or governing bodies where linked
- Automatically via system logging and security tools
5. Lawful Basis for Processing (GDPR)
We rely on the following lawful bases:
| Processing Activity | Lawful Basis |
|---|---|
| Account creation | Contract |
| Event entry processing | Contract |
| Payment validation | Contract |
| Emergency contact storage | Legitimate Interests / Contract |
| Security monitoring | Legitimate Interests |
| Publication of entry lists/results | Legitimate Interests |
| Membership validation | Legitimate Interests |
| Transactional SMS | Contract |
| Marketing SMS | Consent |
| Financial record retention | Legal Obligation |
Where processing relies on Legitimate Interests, we ensure that those interests do not override your fundamental rights.
6. Emergency Contact Information
Emergency contact details are stored to:
- Prefill event entry forms
- Enable Organisers to contact a responsible person in the event of an incident
- Support participant welfare and safeguarding
User Confirmation
By providing emergency contact details, you confirm that:
- You have informed the individual that their details are being provided; and
- You have authority to provide this information.
Access Controls
Emergency contact details:
- Are visible only to the user and authorised Organisers for events entered
- Are protected by role-based access controls
- Are logged when accessed by Organiser officials
- Are never used for marketing or promotional communications
Sharing
Emergency contact details may be shared with:
- Event Organisers
- Authorised event officials responsible for safeguarding
- Emergency services where necessary
7. Children’s Data
Where events involve participants under 18:
- A parent or legal guardian must submit the entry.
- The submitting adult confirms they have authority to provide the child’s data.
- Marketing SMS messages are not sent directly to minors.
We take additional care in relation to publication of junior competitor information.
8. SMS Communications & US A2P 10DLC Compliance
8.1 Collection of Mobile Numbers
We collect mobile numbers for:
- Account verification
- Entry confirmations
- Event reminders
- Safety notifications
- Optional marketing communications (if consented)
8.2 A2P 10DLC Compliance
For US mobile numbers:
- Messaging campaigns are registered under A2P 10DLC requirements.
- We maintain brand and campaign registration where required.
- Message frequency and sender identity are disclosed.
8.3 Consent
Marketing SMS messages are sent only where express consent is obtained.
Users may opt out at any time by:
- Replying STOP to an SMS
- Adjusting account settings
- Contacting privacy@tableized.com
Transactional messages relating to event entries may be sent where necessary for contractual performance.
Emergency contact numbers are not enrolled in SMS campaigns.
9. Publication of Entry Lists and Results
Organisers may publish limited competitor information for:
- Event administration
- Rule compliance
- Transparency of competition
Published information may include:
- Name
- Club
- Age category
- Ranking
- Results
Publication is based on legitimate interests in fair competition and sporting transparency.
You may object to publication in accordance with Section 14.
10. Data Sharing
We may share data with:
- Organisers (as independent Data Controllers)
- Payment processors
- Governing sports bodies
- IT service providers under written data processing agreements
- Law enforcement or regulators where legally required
We do not sell personal data.
11. International Transfers
Where data is transferred outside the UK or EEA, we ensure appropriate safeguards are in place, such as:
- UK International Data Transfer Agreement (IDTA)
- EU Standard Contractual Clauses (SCCs)
- Transfers to countries with adequacy decisions
Payment providers may process data internationally under their own safeguards.
12. Data Retention
| Data Category | Retention Period |
|---|---|
| User accounts | Duration of account + 3 years inactivity |
| Emergency contact data | While account active |
| Event entry data | 6 years |
| Payment records | 6 years |
| SMS consent records | 4 years |
| Security logs | Up to 12 months |
Users may delete emergency contact details at any time via account settings.
13. Security Measures
We implement appropriate technical and organisational safeguards including:
- HTTPS encryption in transit
- Encryption at rest where appropriate
- Role-based access controls
- Multi-tenant data segregation
- Audit logging of access to sensitive data
- Regular security monitoring
14. Your Rights
Under UK GDPR / EU GDPR you have the right to:
- Access your personal data
- Rectify inaccurate data
- Request erasure
- Restrict processing
- Object to processing
- Data portability
- Withdraw consent at any time
- Lodge a complaint with the Information Commissioner’s Office (ICO) or your local supervisory authority
Requests may be submitted to:
privacy@tableized.com
15. Automated Decision-Making
We do not conduct automated decision-making that produces legal or similarly significant effects.
16. Organiser Responsibilities
Organisers using the Platform:
- Act as independent Data Controllers
- Must process personal data lawfully
- Must not use data for unrelated marketing without valid consent
- Must implement appropriate safeguards
- Must comply with applicable data protection laws
We maintain Data Processing Agreements with Organisers where required.
17. Changes to This Policy
We may update this Privacy Policy from time to time. The latest version will always be published on this page with an updated effective date.