GDPR compliance for Badsquash
The team behind Badsquash has always taken data privacy very seriously with the following guiding
- The absolute minimum of personal data is stored on the system.
- Personal data that you don't want anyone else to have is stored encrypted in the database.
- Personal data is not accessible to anyone other than the user themselves or admins apart from contact
details for the boxes which can be seen by other box players.
- We do not contact you unless you contact us or an issue arises with your data that we can only resolve
by asking you.
- We do not pass your personal data to any third party.
Compliance with GDPR requires the following:
- We know what personal data we have, how it is stored and have control over it. We do.
- Have security measures in place to protect personal data. We do.
- We use an encrypted (https) connection with your browser.
- We store sensitive data encrypted.
- We have a filter on accesses to the site that can identify attacks and block them.
- We will tell you about any breach of your data - though as it's stored encrypted, the data is not usable outside of
the Badsquash system.
- You can find out what personal data we have for you - this is listed below.
- If your personal data is incorrect we can correct it for you. Members are able to correct (and lock) their
- We can tell you what we do with your personal data. The answer is very little. We show your name and use
your date of birth (if we have it) to calculate your age group. Nearly all the processing is done on your results
which is not personal data.
- We can tell you how long we will keep your data. The answer is forever as it is needed for as long as we
hold results for you. This leads to the point below...
- You can ask us to remove your data from the system and be 'forgotten'.
- We can tell you who we share your personal data with. The answer is no-one. Though your name, which is not specifically
shared, is in open view on the site along with everyone else's. Your name can be withheld on request.
We don't keep much personal data. This is the full list if you have provided it to us:
- Your name. This comes in with your results though you can change it and/or lock it so it's not overridden. This is
the one piece of personal data that is not hidden.
- Your email address if you register with us. We also hold your email address if you enter it as part of your
contact details for the boxes.
- Your password. This is encrypted on your browser even before it is sent to Badsquash. The system never sees your
- Your phone number if you enter it as part of your contact details for the boxes.
- Your NGB ID (such as ES membership number).
- Your date of birth if it came in with your results or you entered it yourself, or maybe an admin entered it for you.
Stored encrypted. It's a write-only value so no-one can read it - not even admins.
- Your IP address is recorded as part of the website usage tracking. Tracking data is kept for up to 30 days
and is auto-deleted after that. There is a mapping between IP address and user name but only the system admin can
access it. This is sometimes needed if your access becomes blocked in the event you trigger a 'robot behaviour'
Your results are not considered personal data. They are already available in the public domain on other websites so there's
little Badsquash can do to keep them private!
GDPR doesn't insist on consent but we feel it is the right thing to do. There are two types of consent we will be
- Users - that you are OK with our policy as defined above. If a user is not willing to give consent then we will
need to rescind their membership and remove their personal data. We can also provide a pro-rata refund if more than
6 months of membership remain.
- Admins - that you agree to meet the same strict constraints in order to maintain the policy as defined above. If
an admin is not willing to give consent then we will need to rescind their admin privelages. They can still be a user.
The consent tick boxes are now available to tick in your
so please take a look and check the box - or not - as appropriate. You will need to take action
as the default will be non-consent. We hope you are fine will all of this and tick all the necessary boxes! Nothing
has changed - we are just ensuring compliance with GDPR.
Clubs and boxes
There is a special case for clubs who run boxes and put a tablet on the wall. This is great as it replaces the
old sheets on the notice board and brings your club into the 21st century but it does mean that personal details are on
show in the corridor. Mind you, the old sheets have the same problem...
It's possible to hide contact details (though that rather defeats the object) but our recommendation
is to ask the clubs to ask players for their consent to show their details on the wall. The admins are already
covered by the consent described above.
Find out more
That's about it. We're unlikely to be a target for political skulduggary! If you want to find out more about GDPR then please
see the main website here: EUGDPR.org.