Whitebelt Privacy Policy

Operated by Kingsley and Garrett Ltd

Version 1.0 — Last updated:

1. Who We Are

Whitebelt is operated by Kingsley and Garrett Ltd, a company incorporated in England and Wales (Company No. 10029958), registered office at 10 Bolt Court, 3rd Floor, London, United Kingdom, EC4A 3DQ.

We are registered with the Information Commissioner’s Office (ICO) under registration number ZA444726.

In this policy, “we”, “us” and “Whitebelt” refer to Kingsley and Garrett Ltd.

Questions or requests relating to this policy should be directed to: hello@whitebelt.co.uk

2. What This Policy Covers

This privacy policy explains how we, Kingsley and Garrett Ltd, collect and use personal data when you interact with the Whitebelt platform. It covers two distinct situations:

  • Our role as a data controller — when we collect and use information about the instructors and club administrators who create Whitebelt accounts.
  • Our role as a data processor — when we store and process personal data about students on behalf of those instructors. In that situation, the instructor is the data controller and is responsible for their own privacy obligations to their students and parents.

3. Part One: Data We Hold About Instructors and Club Administrators

This section applies to you if you have created an account on Whitebelt to manage your club or students.

3.1 What We Collect and Why

What we collect Why we collect it Lawful basis Retention
Your name and email address To create and manage your account, send you service-related emails (password resets, notifications) Performance of contract (Article 6(1)(b) UK GDPR) For the duration of your account, plus 12 months
Billing information (name, billing address) To process your subscription payment and issue receipts Performance of contract (Article 6(1)(b)) 7 years from last transaction (legal obligation)
Payment card details To charge your subscription fee Performance of contract (Article 6(1)(b)) Held by Stripe only — we never store card numbers
Club or organisation name To identify your account and display within the platform Performance of contract (Article 6(1)(b)) For the duration of your account, plus 12 months
Login activity and platform usage logs Security, fraud prevention, and debugging Legitimate interests (Article 6(1)(f)) — securing the platform 90 days
Error and crash reports To identify and fix technical problems with the platform Legitimate interests (Article 6(1)(f)) — improving the service 90 days

3.2 Payment Processing

We use Stripe to process subscription payments. When you enter payment details, those details are sent directly to Stripe and are never stored on our servers. Stripe is PCI-DSS compliant. You can read Stripe’s privacy policy at stripe.com/gb/privacy.

3.3 Transactional Emails

We use SendGrid (Twilio Inc.) to send transactional emails such as account confirmations and password resets. SendGrid processes your email address for this purpose only. SendGrid servers are located in the United States; transfers are made under appropriate safeguards. You can read SendGrid’s privacy policy at sendgrid.com/policies/privacy.

3.4 Error Tracking

We use Bugsnag (SmartBear Software) to capture error reports when technical problems occur in the platform. Bugsnag may capture your account identifier and technical context (browser type, error stack trace) when an error occurs. We use this solely to fix bugs. You can read Bugsnag’s privacy policy at smartbear.com/privacy.

3.5 Marketing

We do not send marketing emails. We will only contact you about your account and the service.

3.6 Your Rights as an Instructor

As a data controller for your own account data, you have the following rights under UK GDPR:

  • Right of access — you can request a copy of the personal data we hold about you.
  • Right to rectification — you can ask us to correct inaccurate data.
  • Right to erasure — you can ask us to delete your account and associated data, subject to any legal retention obligations.
  • Right to restriction — you can ask us to restrict processing in certain circumstances.
  • Right to data portability — you can request your account data in a machine-readable format.
  • Right to object — you can object to processing based on legitimate interests.

To exercise any of these rights, contact us at hello@whitebelt.co.uk. We will respond within one month. If you are unhappy with our response, you have the right to complain to the ICO at ico.org.uk or by calling 0303 123 1113.

4. Part Two: Student Data Processed on Behalf of Instructors

4.1 Our Role

Whitebelt provides a platform that instructors use to record information about their students. In doing so, we act as a data processor — we store and process student data only on the instructions of the instructor (the data controller). We do not use student data for our own purposes.

Our obligations as a processor are set out in our Data Processing Agreement with each instructor, which forms part of our Terms of Service.

4.2 Categories of Student Data the Platform Can Hold

The platform is capable of holding the following categories of student data. Which of these an instructor actually collects is entirely at the instructor’s discretion:

  • Full name
  • Date of birth
  • Contact details (address, telephone number, email address)
  • Emergency contact and next of kin details
  • Medical or health information (if entered by the instructor)
  • Grading and attendance records
  • Photographs (if uploaded by the instructor)
  • Any other information entered into free-text fields by the instructor

The platform may hold personal data relating to children under the age of 18. This data is entered by the instructor, not by the children themselves.

4.3 How We Protect Student Data

Although instructors are the data controllers for student data, we take our processor obligations seriously. We apply the following measures:

  • Student data is hosted on Heroku (Salesforce Inc.) infrastructure. Data is stored in encrypted form at rest.
  • Access to student data within the platform is restricted to the instructor’s account.
  • We do not analyse, sell, or share student data with any third party, other than the Sub-processors listed in our Data Processing Agreement (principally Heroku for hosting).
  • In the event of a security incident affecting student data, we will notify the relevant instructor without undue delay and within 48 hours.

4.4 International Transfers of Student Data

Student data is hosted on Heroku servers located in the United States. Heroku (Salesforce Inc.) participates in the UK-US Data Bridge, which provides an adequate level of protection for transfers of personal data from the UK to the US. We verify Heroku’s certification status regularly.

4.5 Retention of Student Data

Student data is retained for as long as the instructor’s account is active. If an instructor closes their account, all associated student data is deleted within 30 days, unless the instructor requests earlier deletion or export.

Instructors can delete individual student records or export their data at any time from within the platform.

4.6 Rights of Students and Parents

Because instructors are the data controllers for student data, requests from students or parents to access, correct, or delete their data should be directed to the relevant instructor, not to Whitebelt.

However, if you believe your data is being processed unlawfully through the Whitebelt platform, you may contact us at hello@whitebelt.co.uk and we will investigate and respond within one month.

5. Where Your Data Is Stored

The Whitebelt platform is hosted on Heroku (Salesforce Inc.) infrastructure in the United States. We also use the following third-party services which may process personal data:

Provider Purpose Location Safeguard
Heroku (Salesforce) Application and database hosting United States UK-US Data Bridge
Stripe Payment processing United States UK-US Data Bridge
SendGrid (Twilio) Transactional email United States UK-US Data Bridge / SCCs
Bugsnag (SmartBear) Error tracking United States SCCs / IDTA

SCCs = Standard Contractual Clauses / UK International Data Transfer Agreement.

6. Security

We take reasonable technical and organisational measures to protect personal data against unauthorised access, loss, or destruction. These include encrypted storage, access controls, and regular security reviews.

No system is completely secure. If you believe your account has been compromised, please contact us immediately.

7. Cookies

Whitebelt uses cookies that are strictly necessary to operate the platform (for example, to maintain your logged-in session). We do not use advertising or tracking cookies. You can control cookies through your browser settings, but disabling necessary cookies will prevent the platform from functioning correctly.

8. Changes to This Policy

We may update this policy from time to time. We will notify account holders of material changes by email or by a prominent notice within the platform. The date of the most recent version is shown at the top of this document.

Continued use of the platform after changes take effect constitutes acceptance of the updated policy.

9. Contact Us and How to Complain

For any questions about this policy or to exercise your rights, contact us at: hello@whitebelt.co.uk

Kingsley and Garrett Ltd
10 Bolt Court, 3rd Floor
London, United Kingdom
EC4A 3DQ

If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office:

  • Website: ico.org.uk
  • Telephone: 0303 123 1113
  • Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

We would always prefer the opportunity to address your concerns before you contact the ICO, so please do reach out to us first.