Skip to main content
SMCCSMCC
← Home

Legal

Privacy policy

Last updated: 16 May 2026

Sevenoaks Model Car Club (“SMCC”, “we”, “us”) takes your privacy seriously. This policy explains what personal information we collect, why we collect it, how we use it, and what rights you have. It covers everything we do as a club — our website at smccracing.uk, our booking system, and our race-night operations.

Who we are

SMCC is an unincorporated members' club based in Sevenoaks, Kent, racing at Sackville School in Hildenborough. We are the data controller for the personal data described in this policy. You can reach us at sevenoaksmodelcarclub@gmail.com.

What data we collect

We collect only what we need to run the club. That includes:

  • Account details — your name and email address, so you can log in and we can contact you about bookings.
  • Driver details — first name, last name, date of birth, and phone number for each driver you register. Date of birth is required so we can apply the correct pricing and check whether a driver is a junior or needs guardian consent.
  • BRCA membership number and validity date, where applicable. We need this because BRCA membership is required to race after a small number of trial meetings.
  • Guardian consent — for drivers under 18, the name of the parent or guardian giving consent, their relationship to the driver, and the date consent was given.
  • Equipment details — transponder numbers and car information so we can identify your car on the timing system.
  • Booking and payment records — which races you booked, what you paid, and any refunds or credits. Card details are handled entirely by Stripe; we never see or store them.
  • Communication you send us — messages sent through the contact form or by email.
  • Technical logs — minimal access logs (IP address, user agent, timestamps) kept by our hosting provider for security and reliability.

Why we collect it (lawful basis)

Under UK GDPR every use of your data has to have a lawful basis. We rely on:

  • Contract — for everything needed to deliver membership and bookings: managing your account, processing payments, providing race entries, contacting you about bookings.
  • Legal obligation — for retaining payment records as required by HMRC tax rules, and for safeguarding records relating to junior members.
  • Legitimate interests— for running the club (validating BRCA membership, sharing driver lists with our race control software, internal admin), provided this doesn't override your rights and freedoms.
  • Consent — for parental/guardian consent on under-18 drivers. We never use your data for marketing.

Who we share your data with

We don't sell your data. We share it only with the service providers we need to run the club:

  • Supabase (database and authentication) — hosted in the EU (London region).
  • Stripe (payment processing) — receives the information needed to take a card payment when you book. Stripe is UK-based with infrastructure in the EU and US, covered by appropriate safeguards.
  • Resend (transactional email) — delivers the emails we send you (booking confirmations, login links, contact-form acknowledgements).
  • Vercel (website hosting) — runs smccracing.uk.
  • RC-Timing (race control software) — receives driver name, BRCA number, transponder number, class, and junior status before each race, so the timing system can produce results.
  • BRCA (British Radio Car Association) — we occasionally validate membership numbers with BRCA. We may also share results data with them in line with their national reporting.

Where any of these providers transfers data outside the UK or EEA, they do so under the safeguards required by UK GDPR (standard contractual clauses or equivalent).

How long we keep it

We keep your account and driver data for as long as you remain a member. If you ask us to delete your account, we'll remove your personal data within 30 days of receiving your request.

One exception: financial records (payment amounts, dates, and basic transaction details) are kept for six years to meet our obligations under HMRC tax rules. These records are kept against an anonymised reference rather than your name once your account is deleted.

Safeguarding records relating to junior members may be retained for longer where required by law or by the club's safeguarding policy.

Your rights

Under UK GDPR you have the right to:

  • Access — ask for a copy of the personal data we hold about you.
  • Rectification — ask us to correct anything that is wrong. Most of this you can do yourself from your account page.
  • Erasure — ask us to delete your account and the personal data associated with it (subject to the financial-record exception above).
  • Portability — ask for a copy of your data in a machine-readable format.
  • Restriction — ask us to limit what we do with your data while we resolve a query.
  • Objection — object to processing based on our legitimate interests.

You can do most of these directly from your account page: download a copy of your data as JSON, update your details, or submit a deletion request. Deletion requests are reviewed by the committee and processed within 30 days. For anything else, email sevenoaksmodelcarclub@gmail.com or use the contact form. There's no charge for any data request.

Children's data

We collect data on junior racers (under 18) only with verifiable consent from a parent or guardian. For under-13s in particular — where UK GDPR sets the minimum age of digital consent — we require explicit guardian consent before the driver can be registered or book races.

Junior accounts are normally created and managed by the parent or guardian on their own login. We try to keep what we collect about children to the absolute minimum needed to race safely (name, date of birth, BRCA number, guardian contact, equipment details).

Cookies

We use a small number of essential cookies — only what's needed to keep you signed in when you visit the site. We don't use analytics cookies, advertising cookies, or any tracking technology. See our cookies page for more detail.

Security

We use reputable providers (Supabase, Vercel, Stripe, Resend) who all maintain strong security practices. Data in transit is encrypted (HTTPS). Database access is restricted by row-level security so members can only see their own data. If a security incident affects your data, we'll tell you and the ICO within 72 hours where required by law.

Changes to this policy

We may update this policy from time to time. The date at the top of the page will always reflect the latest version. If we make material changes affecting how we use your data, we'll email you before the change takes effect.

Complaints

If you're unhappy with how we've handled your data, please tell us first so we can put it right — sevenoaksmodelcarclub@gmail.com. If you're still not happy, you have the right to complain to the Information Commissioner's Office:

ico.org.uk/make-a-complaint · 0303 123 1113