Privacy Notice
Soza Health Ltd. · effective 2026-05-07
This notice tells you what personal data we hold about you, why we hold it, who we share it with, how long we keep it, and what your rights are. We wrote it in plain English. If anything is unclear, please contact us using the details at the bottom of this page.
Who we are
Soza Health Ltd.
22 Tulip Tree Close
Bromham
Bedford
MK43 8GH
Email: dpo@sozahealth.com
Telephone: 01234619242
Data Protection: Tim King — dpo@sozahealth.com
What data we hold and why
| Activity | Why we hold the data | How long we keep it |
|---|---|---|
| Membership profile | To identify you as an authorised member of the organisation, to contact you about club activities, and to cater for events you attend. UK GDPR Art. 6(1)(b) — performance of your membership agreement; and Art. 9(2)(a) — explicit consent for dietary information (special-category data). |
For the duration of your active membership, plus 12 months after you leave for handover purposes. Then archived or deleted on request. |
| Notices | Public notices that you authored or were named as a contact on. These are visible to all members of the organisation. UK GDPR Art. 6(1)(f) — legitimate interests in keeping members informed about activities, events and contact points. |
Retained while the notice remains relevant; cleared when superseded. Historical notices may be kept for organisational record-keeping. |
| Breakfast orders | To cater for breakfast events you attended or signed up to. UK GDPR Art. 6(1)(b) — performance of a contract for the meal; Art. 9(2)(a) — explicit consent for any dietary/allergy notes. |
Retained for 12 months after the event for accounting and dispute handling, then anonymised. |
| Document library activity | To support the document library workflow — recording who uploaded each file, who has it checked out, and an access audit log. UK GDPR Art. 6(1)(f) — legitimate interests in the secure operation of a members-only document library, including audit. |
Audit events retained for 12 months; checkout records retained for the life of the document; uploaded files retained indefinitely as organisational records (you may request specific deletions). |
| Course enrolments and progress | To deliver a course you enrolled on and issue a completion certificate. UK GDPR Art. 6(1)(b) — performance of the course-delivery agreement. |
Retained while the course is offered; certificates retained as record of completion. |
| Communications and devices | Email and push notifications sent to you about club activities, plus the device tokens we use to deliver push notifications. UK GDPR Art. 6(1)(f) — legitimate interest in informing members; Art. 6(1)(a) — consent (you opted in via the mobile app). |
Message dispatch log retained for 12 months. Device tokens retained while the device remains registered. |
| Audit and access trail | Records of actions you took on the platform (sign-in, view, export) and changes you made to data, retained as a security audit trail. UK GDPR Art. 6(1)(c) and 6(1)(f) — legal obligation and legitimate interest in maintaining a security audit log. |
Action log retained for 12 months. django-auditlog model-change entries retained for 7 years to support accountability. |
| Game purchases (Spot The Splat + Duck Race) | Records of game-grid squares or race ducks you purchased, including the contact details you supplied at checkout so we can reach you if you win or to handle a dispute. UK GDPR Art. 6(1)(b) — performance of the purchase contract. |
Retained for 7 years for accounting and HMRC purposes (UK retention requirement for transactional records). |
| Furniture deliveries (recipient records) | If you have received a furniture donation, we hold contact + address details so we can deliver and follow up. UK GDPR Art. 6(1)(f) — legitimate interest in coordinating donations to vulnerable recipients via referring charities. |
Retained for 24 months after the last delivery, then anonymised. |
| Roles, positions and group memberships | To track which committee positions and groups you are part of, by year — used to derive the leadership team display. UK GDPR Art. 6(1)(f) — legitimate interest in maintaining an organisational record of officers and committee members. |
Retained as part of the organisation's permanent record. |
| Authentication and sessions | Sign-in identifiers (Google email, Apple subject ID, Django username) and active mobile session tokens used to keep you signed in on the app. UK GDPR Art. 6(1)(b) — performance of the membership login flow. |
Mobile sessions persist while the device is registered; tokens are rotated when you sign out. |
Who we share data with
We share your data only with the people and services we need to run the platform on your behalf:
- Investcope Ltd — Platform processor (runs the SpotTheSplat platform)
- Cloudflare R2 — Object storage (member-uploaded files, DSAR bundles, backups)
- Resend — Transactional email (notifications, magic links, DSAR bundles)
- Stripe Payments Europe Ltd — Payment processing (Spot The Splat, Duck Race, repeat-DSAR fees)
- Fly.io — Application hosting
- Neon — Managed Postgres database
- Firebase Cloud Messaging (Google LLC) — Push notifications to mobile app
- Apple Sign In — Identity provider for mobile + WordPress sign-in
- Google Sign In — Identity provider for mobile + WordPress sign-in
We process your data in the UK and EEA. Some service providers operate globally; we rely on UK adequacy decisions and the International Data Transfer Agreement (IDTA) / Standard Contractual Clauses where applicable.
How we keep your data safe
Your data is encrypted in transit and at rest. Access is restricted to authorised members and administrators of your organisation. We keep an audit trail of access and changes.
Automated decision-making
We do not make solely automated decisions about you that have legal or similarly significant effects.
Your rights
Right to be informed
We tell you how your data is used. That's what this notice is for.
Right of access
You can ask for a copy of the data we hold about you. We'll respond within 30 days of confirming it's really you asking.
Right to rectification
If anything we hold is wrong, ask us to fix it.
Right to erasure
Ask us to delete your data. We will, except where we're legally required to keep certain records (audit logs, finance records) — we'll tell you what stays and why.
Right to restrict processing
Ask us to stop using your data for a particular purpose while we sort out a complaint or correction.
Right to data portability
Ask for a machine-readable copy of your data so you can take it to another service.
Right to object
Object to processing we do under 'legitimate interests' — for example, stop receiving emails about events.
Rights related to automated decision-making and profiling
We don't make solely-automated decisions about you that have legal or similarly significant effects.
Contact us
If you would like a copy of the data we hold about you, want us to correct or delete something, or have any other concern about how we use your data, please contact us using the details above. You also have the right to complain to the Information Commissioner's Office at https://ico.org.uk/ — telephone 0303 123 1113.
Download as PDF (link valid for 1 hour)