Privacy Policy | Round Table London West End 623

1. Data Controller Identity

Data Controller: Round Table London West End No. 623

Contact Email: london.westend@roundtable.org.uk

Organisation Type: Voluntary fellowship organisation (part of Round Tables of Great Britain and Ireland)

Location: London, West End, United Kingdom

As the data controller, we are responsible for deciding how and why your personal data is processed. We take this responsibility seriously and have implemented appropriate technical and organisational measures to protect your data.

2. What Data We Collect

2.1 Guestbook Entries

When you submit a message to our visiting book, we collect:

Name: Your full name or first name and Table name
Club/Table: Your Round Table club or Table number
Message: The message you write in the guestbook
Timestamp: Date and time of submission (automatically recorded)

2.2 Admin Access

For administrators managing the website, we collect:

Email address: Used for authentication
Session tokens: Secure authentication tokens (automatically managed)
Login activity: Timestamps of login and logout events

2.3 Technical Data

To maintain site security and prevent abuse, we may collect:

IP address: Used for rate limiting and spam prevention
Browser information: User agent string for compatibility and security
Page views: Which pages you visit (aggregated, not personally identifiable)

2.4 Cookies and Local Storage

We use browser storage to enhance your experience:

Cookie consent preferences: Stored in localStorage (expires after 13 months)
Rate limiting data: Temporary submission tracking (expires after 1 hour)
Admin session: Authentication session (expires after 7 days)

We do not use third-party tracking cookies or analytics that identify you personally. Essential cookies are necessary for the website to function and do not require consent under GDPR.

3. Legal Basis for Processing

We process your personal data under the following legal bases as defined in GDPR Article 6:

3.1 Legitimate Interests (Article 6(1)(f))

We process guestbook entries and technical data based on our legitimate interest in operating a fellowship organisation, maintaining a record of visiting Tablers, and preventing spam and abuse. We have conducted a legitimate interests assessment and determined that our interests do not override your fundamental rights and freedoms.

3.2 Consent (Article 6(1)(a))

Where required, we obtain your explicit consent before processing personal data, particularly for:

Non-essential cookies and tracking (if implemented)
Optional communications or newsletters (if you opt in)

You may withdraw your consent at any time by contacting us.

3.3 Contractual Necessity (Article 6(1)(b))

For admin accounts, we process your email address and authentication data as it is necessary to provide you with access to the content management system.

4. How We Use Your Data

We use your personal data for the following purposes:

4.1 Site Operations

Display approved guestbook entries on the public website
Manage website content through the admin dashboard
Maintain a historical record of visiting Tablers and their messages
Provide you with access to requested services and features

4.2 Security and Compliance

Prevent spam, abuse, and automated submissions (rate limiting)
Detect and block malicious activity or security threats
Comply with legal obligations under UK data protection law
Maintain audit logs for compliance and accountability

4.3 Service Improvement

Understand how visitors use the website (aggregated analytics only)
Identify and fix technical issues
Improve the user experience and website functionality

We do not sell, rent, or share your personal data with third parties for marketing purposes. We do not use your data for profiling or automated decision-making.

5. Data Retention Periods

We retain your personal data for different periods depending on the type of data and purpose:

Data Type	Retention Period	Reason
Guestbook entries	Indefinitely (unless deletion requested)	Public record of club history and visiting Tablers
Admin sessions	7 days	Security - automatic logout after period of inactivity
Consent logs	2 years	Compliance audit trail for GDPR accountability
Rate limit data	1 hour	Temporary spam prevention (auto-deleted)
Technical logs	24 hours	Security monitoring and troubleshooting

You may request deletion of your guestbook entry at any time (see section 8 below). Once deleted, your data cannot be recovered.

6. Data Sharing and Processors

We do not share your personal data with third parties for marketing purposes. We only share data with trusted service providers who act as data processors on our behalf:

6.1 Supabase (Database Hosting)

Service: PostgreSQL database and authentication services
Location: EU-West-2 (London, United Kingdom) - data stays in the UK/EU
GDPR Compliance: Supabase is GDPR-compliant and has signed a Data Processing Agreement (DPA)
Data stored: Guestbook entries, admin accounts, site content, consent logs
Privacy Policy: supabase.com/privacy

6.2 Vercel (Website Hosting)

Service: Static website hosting and content delivery
Location: Global CDN (with UK/EU data processing)
GDPR Compliance: Vercel is GDPR-compliant with appropriate safeguards
Data stored: Website files, server logs (minimal, temporary)
Privacy Policy: vercel.com/legal/privacy-policy

Both processors have committed to GDPR compliance and use appropriate technical and organisational measures to protect your data. We have conducted due diligence to ensure they meet our data protection standards.

7. Your Rights Under GDPR

Under UK GDPR (Articles 15-22), you have the following rights regarding your personal data:

7.1 Right to Access (Article 15)

You have the right to request a copy of all personal data we hold about you. We will provide this in a structured, commonly used, machine-readable format (typically JSON).

7.2 Right to Rectification (Article 16)

If your personal data is inaccurate or incomplete, you have the right to request that we correct or complete it.

7.3 Right to Erasure ("Right to be Forgotten") (Article 17)

You have the right to request deletion of your personal data where:

The data is no longer necessary for the purposes it was collected
You withdraw consent (where consent was the legal basis)
You object to processing and there are no overriding legitimate grounds
The data has been unlawfully processed

Note: This right is not absolute. We may retain data where we have a legal obligation or legitimate interest to do so (e.g., preventing fraud, maintaining historical records).

7.4 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, machine-readable format and to transmit that data to another controller (e.g., another Round Table website).

7.5 Right to Restrict Processing (Article 18)

You have the right to request that we restrict processing of your personal data where:

You contest the accuracy of the data (pending verification)
Processing is unlawful but you don't want the data erased
We no longer need the data but you need it for legal claims
You have objected to processing (pending verification of legitimate grounds)

7.6 Right to Object (Article 21)

You have the right to object to processing of your personal data where we are relying on legitimate interests as the legal basis. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

7.7 Right to Lodge a Complaint

You have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's data protection regulator:

Website: ico.org.uk/make-a-complaint/
Telephone: 0303 123 1113
Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

8. How to Exercise Your Rights

To exercise any of your data protection rights, please contact us:

Email: london.westend@roundtable.org.uk

Subject line: "Data Subject Request - [Your Name]"

What to Include in Your Request

Please provide the following information to help us process your request efficiently:

Your full name
The email address or name used when submitting data (if applicable)
A clear description of your request (e.g., "Delete my guestbook entry from 15 March 2026")
Proof of identity (if requesting access to or deletion of sensitive data)

Our Response Timeline

Standard response time: Within 30 days of receiving your request (as required by GDPR)
Complex requests: We may extend this by up to 60 additional days if your request is particularly complex. We will notify you within the first 30 days if an extension is needed.
Free of charge: We do not charge a fee for most requests. We may charge a reasonable fee if your request is manifestly unfounded, excessive, or repetitive.

Identity Verification

To protect your privacy, we may request additional information to verify your identity before processing requests involving personal data access or deletion. This is a security measure to prevent unauthorised disclosure or deletion of data.

9. Data Security Measures

We take the security of your personal data seriously and have implemented appropriate technical and organisational measures to protect it from unauthorised access, loss, misuse, or disclosure:

9.1 Technical Security

HTTPS Encryption: All data transmitted between your browser and our servers is encrypted using TLS 1.3
Encryption at Rest: All data stored in our database (Supabase) is encrypted at rest using industry-standard AES-256 encryption
Row Level Security (RLS): Database access is restricted using fine-grained security policies that prevent unauthorised data access
Secure Authentication: Admin accounts use strong password requirements and secure session management
Rate Limiting: Automated protections prevent spam, brute-force attacks, and abuse

9.2 Organisational Security

Access Control: Only authorised administrators have access to personal data
Input Validation: All user inputs are validated and sanitised to prevent malicious code injection (XSS, SQL injection)
Regular Security Audits: We periodically review our security measures and update them as needed
Secure Development Practices: We follow industry best practices for secure web development

9.3 Data Breach Procedures

In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will:

Notify the ICO within 72 hours of becoming aware of the breach (as required by GDPR Article 33)
Notify affected individuals without undue delay if the breach poses a high risk to their rights
Document the breach, its effects, and the remedial action taken

While we implement robust security measures, no system is completely secure. We cannot guarantee absolute security, but we continuously work to protect your data to the best of our ability.

10. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices, legal requirements, or for other operational, legal, or regulatory reasons.

How We Notify You of Changes

Last Updated Date: We will update the "Last updated" date at the top of this page
Website Notice: For significant changes, we will display a notice on the homepage for 30 days
Re-consent: If changes materially affect how we process your data, we may request your consent again

We encourage you to review this policy periodically to stay informed about how we protect your personal data.

Previous Versions

This is the first version of our privacy policy, published on 18 April 2026 in compliance with UK GDPR requirements.