At Catch, your privacy is important to us. This Privacy Policy explains how we collect, use, and protect your personal information. By using our website, services, or products, you agree to this Privacy Policy. If you have any questions, contact us at rebecca@catchswim.com.
1. What Information We Collect
We may collect the following information when you interact with us:
- Account Data: Name, email address, phone number, date of birth.
- Training Data: Swimming ability, goals, performance metrics, session results, progress tracking
- Health Information: Self-reported swimming ability, medical conditions affecting training (with explicit consent)
- Payment Details: Billing information processed securely through Stripe and RevenueCat
- Location Data: Pool location types, open water venues (when you choose to share)
- Device Information: Device type, operating system, app usage analytics
- Calendar Data: Training session scheduling (only when you connect calendar services)
- Community Data: Posts, comments, interactions in community features
- Referral Data: Referral codes used and generated
Automatically Collected Data
- Usage Information: How you interact with our app and services
- Technical Data: IP address, browser type, device identifiers
- Performance Data: App performance metrics and crash reports
2. How We Use Your Information
Your data is used to:
- Personalise your swimming plans and content recommendations.
- Process payments for memberships.
- Improve our website and services.
- Communicate updates, offers, and important information.
- Ensure compliance with legal obligations and safeguard user safety.
- Analyse usage patterns to enhance user experience
- Provide customer support and technical assistance
2.1 Legal Basis for Processing
Under UK GDPR, we process your personal data on the following legal bases:
- Contract Performance: To provide our swimming training services, process payments, and manage your account
- Legitimate Interests: To improve our services, send service-related communications, and ensure platform security
- Consent: For email marketing, calendar integration, and optional data processing activities
- Legal Obligation: To comply with accounting, tax, and regulatory requirements
- Vital Interests: For health and safety purposes related to swimming activities
You have the right to withdraw consent at any time where processing is based on consent.
3. Third-Party Data Sharing
We only share your data with trusted third-party processors who help us provide our services:
Service Providers:
- Supabase (Database hosting - EU/UK servers)
- Stripe (Payment processing - adequate safeguards in place)
- RevenueCat (Subscription management - EU representative available)
- Mailchimp (Email marketing - only with your consent)
- Google Calendar API (Calendar sync - only when you connect your calendar)
- Microsoft Calendar API (Calendar sync - only when you connect your calendar)
Legal Disclosures:
We may disclose your information if required by law, court order, or to protect our rights and safety.
All third-party processors are bound by data processing agreements and must comply with UK GDPR requirements.
4. How We Protect Your Information
We take security seriously and use appropriate measures, such as:
- Data encryption during transmission and storage.
- Secure servers and restricted access to personal information.
- Regular monitoring and updating of our systems.
- However, no online platform is 100% secure. Please protect your account by using a strong password and keeping it confidential.
5. Your Data Rights
Under the UK GDPR, you have the right to:
- Access: Request a copy of the personal data we hold about you.
- Rectification: Correct inaccurate or incomplete data.
- Erasure: Request the deletion of your data (subject to legal obligations).
- Restriction: Limit how your data is processed in certain circumstances.
- Data Portability: Receive your data in a structured, commonly used format.
- Object: Withdraw consent for specific data uses, such as marketing communications.
- Automated Decision Making: Not to be subject to purely automated decisions (we don't use automated profiling)
How to Exercise Your Rights:
- Email us at: rebecca@catchswim.com with your request
- Response Time: We will respond within one calendar month
- Identity Verification: We may ask for ID verification to protect your privacy
- No Fee: Exercising your rights is free unless requests are excessive
Data Export Process:
To request your data export, email us at rebecca@catchswim.com with "Data Export Request" in the subject line. We will provide your data in JSON format within 30 days.
5.1 Children's Data
Our services are designed for users aged 16 and over. We do not knowingly collect personal data from children under 16 without parental consent.
If you are a parent/guardian and believe your child under 16 has provided us with personal data, please contact us immediately at rebecca@catchswim.com.
If we discover we have collected personal data from a child under 16 without parental consent, we will take steps to delete that information promptly.
6. Cookies & Tracking
We use cookies and similar technologies to:
- Enhance user experience.
- Track usage patterns and site performance.
- Deliver personalised content and ads.
You can manage or disable cookies in your browser settings. For more details, refer to our Cookie Policy.
7. Third-Party Links
Our website may contain links to third-party sites. We’re not responsible for the privacy practices of those websites. Please review their privacy policies separately.
8. Data Retention
We retain your personal data only as long as necessary:
Active Accounts:
- Training Data: Retained while your account is active
- Performance Metrics: Retained while your account is active
- Payment Records: 7 years (legal requirement for accounting)
- Marketing Data: Until you withdraw consent
Deleted Accounts:
- Most Data: Deleted immediately upon account deletion request
- Financial Records: Retained for 7 years (legal obligation)
- Aggregated Analytics: May be retained indefinitely (anonymized)
Automatic Deletion:
- Inactive accounts (no login for 3+ years) will receive deletion notice
- Accounts with no response to deletion notice will be deleted after 90 days
9. International Data Transfers
Some of our service providers are located outside the UK. We ensure adequate protection through:
- Adequacy Decisions: Transfers to countries with adequate data protection
- Standard Contractual Clauses: EU-approved safeguards for other transfers
- Additional Safeguards: Technical and organizational measures for data security
Current International Transfers:
- Stripe: USA (adequate safeguards via Standard Contractual Clauses)
- RevenueCat: USA (adequate safeguards via Standard Contractual Clauses)
- Google/Microsoft: Various locations (your choice to connect calendar services)
You have the right to obtain information about these safeguards by contacting us.
9.1 Data Breach Notification
In the unlikely event of a data breach that poses a high risk to your rights and freedoms, we will:
- Notify the ICO within 72 hours of becoming aware of the breach
- Notify affected users without undue delay
- Provide clear information about the breach and steps being taken
- Offer guidance on protecting yourself from potential harm
You can report suspected security issues to security@catchswim.com.
10. Updates to This Policy
We may update this Privacy Policy occasionally to reflect changes in our practices or regulations. Significant updates will be communicated via email or our website.
11. Contact Us
If you have any questions, concerns, or requests related to your personal data, reach out to:
Email: rebecca@catchswim.com
Data Protection Officer: rebecca@catchswim.com
Thank you for trusting Catch.
