Privacy Policy

Last updated: [DATE]. Version 1.

What this means in practice. Courseside is a UK limited company that collects personal information from its members — UK and Irish racegoers and racing-curious non-attenders — to run a free prize draw and to publish anonymised insight reports for the racing industry. We collect only what we need, keep it only as long as we need it, never sell it, and let you see, correct or delete it at any time. The formal sections below cover what GDPR requires us to spell out. If anything is unclear, email support@courseside.co.uk and we will explain in plain English.

1. Controller

The data controller is Courseside Ltd, a company registered in England and Wales, company number [COMPANY NUMBER], registered office [REGISTERED OFFICE].

Courseside Ltd is registered with the UK Information Commissioner's Office under reference [ICO NUMBER]. For Irish members we are also notified to the Irish Data Protection Commission under reference [DPC REF].

In plain English: Courseside Ltd decides how your data is used. If something goes wrong, we are the people responsible.

2. Purposes

We use your personal data for the following purposes only:

• to run your Collective membership (welcoming, account, communications);
• to send you quarterly surveys and the monthly newsletter you signed up for;
• to enter you into free prize draws and contact you if you win;
• to invite you as a Mystery Racegoer if your profile matches an open course brief;
• to publish anonymised, aggregated insight about UK and Irish racegoers;
• to comply with our legal obligations (records of consent, prize-draw audit trails, tax records).

We do not use your data for behavioural advertising, ad-targeting profiles, or sale to third parties. Ever.

3. Lawful basis

We rely on the following lawful bases under Article 6 of the UK / EU GDPR:

• Consent (Article 6(1)(a)) — for sending you the newsletter and for inviting you as a Mystery Racegoer.
• Contract (Article 6(1)(b)) — for running your membership and your prize-draw entries.
• Legal obligation (Article 6(1)(c)) — for keeping records the Gambling Commission, HMRC or our auditors may require.
• Legitimate interest (Article 6(1)(f)) — for analysing aggregated survey data to publish industry reports. You can object at any time.

4. Recipients

Your data is processed by:

• Courseside Ltd's founder, and any specifically named contractors who have signed a written data processing agreement with us;
• our tooling providers acting as processors on our behalf: Google (Forms, Sheets, Workspace), Typeform (surveys), Buttondown or Mailchimp (newsletter), Zapier (automation between the two), Cloudflare (DNS, email routing, hosting).

We never share your data in identifiable form with racecourses, sponsors, the BHA, HRI, the Racing Post, or any other third party. Published Courseside reports use aggregated, anonymised data only.

5. Retention

• Membership data — kept while you are an active member and for 12 months after your last quarterly survey, then deleted.
• Prize-draw entries — kept for 6 years to satisfy Gambling Commission and audit requirements.
• Survey responses — anonymised within 30 days of survey close. The anonymised dataset is kept indefinitely.
• Newsletter consent records — kept while you remain subscribed plus 12 months after you unsubscribe.

6. Rights

Under UK GDPR (and EU GDPR for Irish members) you have the right to:

• ask for a copy of your data;
• correct anything that is wrong;
• ask us to delete your data;
• restrict how we use it;
• port it to another controller;
• object to processing we are doing on the basis of legitimate interest;
• withdraw any consent at any time (this does not affect lawful processing already done).

To exercise any right, email support@courseside.co.uk. We will respond within one calendar month.

7. Transfers

All of the processors named in section 4 are based in either the United Kingdom, the EEA, or third countries covered by a UK or EU adequacy decision. Where data is transferred to a third country without an adequacy decision, we rely on the UK International Data Transfer Addendum or the EU Standard Contractual Clauses. We can share copies of these on request.

8. Complaints

You can complain to a supervisory authority at any time. In the United Kingdom: the Information Commissioner's Office. In the Republic of Ireland: the Data Protection Commission.

We would rather hear from you first — email support@courseside.co.uk — but you do not have to.