ITFC Women Privacy Policy
This Privacy Policy explains how personal data is collected, used and protected across ITFC Women digital services.
These services include websites and online services that use your ITFC Women account.
When you create or use a ITFC Women account through one of these services, your core account information is held centrally so that you can use the same login across participating ITFC Women digital services. This central account also helps us manage authentication, security, communication preferences, consents and data protection rights across those services.
Some ITFC Women digital services may collect additional information for that specific service. Where this happens, the relevant service may provide a short supplementary privacy notice explaining the additional personal data used for that service. Those supplementary notices should be read together with this Privacy Policy.
1. Who we are
Ipswich Town Women's Football Club (company number 16321223, registered address Ipswich Town Women's Football Club Ltd, Ipswich Town Stadium, Portman Road, Ipswich, Suffolk, England, IP1 2DA ) is the Data Controller for all personal data collected through our digital services. References to "ITFC Women", "we", "us" and "our" mean Ipswich Town Women's Football Club.
HotLizard Limited (company number 03811966, registered office Tower Business Park, Kelvedon Road, Tiptree, Essex, CO5 0LX) provides and operates the digital services platform on behalf of ITFC Women. HotLizard Limited processes personal data as a processor, in accordance with ITFC Women's written instructions and under a Data Processing Agreement.
If you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact ITFC Women:
ITFC Women — Data Protection contact
Data Protection OfficerEmail: dataprotection@mail.colchesterstadium.com
Post: Colchester United FC c/o Ipswich Town Women, JobServe Community Stadium, United Way, Colchester, Essex CO4 5UP
2. About this policy
This policy applies to personal data collected through ITFC Women's digital services including websites and online services that use your ITFC Women account.
It explains how your ITFC Women account works across those services, how your personal data is used, how your preferences and rights are managed, and how we keep your information secure.
Some ITFC Women digital services, may collect additional information for that specific service. Where this happens, the relevant service may provide a short supplementary privacy notice explaining that additional processing.
This policy does not cover:
- third-party websites we may link to.
- services provided directly by ITFC Women outside this digital platform.
- other clubs, venues or organisations, even if they use similar technology operated by HotLizard Limited.
We may update this Privacy Policy from time to time. Significant changes will be notified to you by a notification in the service, by email, or both. Minor changes are reflected only in the "Last updated" date at the top of this policy. Previous versions of this policy will remain available at https://itfcwomen.solelysecured.com/privacy/versions.
3. What information we collect and why
3.1 Your account
We collect and use personal data to create and manage your ITFC Women account at https://itfcwomen.solelysecured.com, provide the digital services you use, keep your account secure, manage your preferences and meet our legal obligations.
Some personal data is needed so that we can create and manage your ITFC Women account, provide the services you request, keep your account secure, or meet legal requirements. If you do not provide information that is required for a particular service, we may not be able to provide that service to you.
| Category | What this may include | Why we use it |
|---|---|---|
| Identity details | Name, title and date of birth where needed for age verification. | To identify you, manage your account and apply any age-related requirements. |
| Contact details | Email address, email verification status, telephone number and, where needed, billing or delivery address. | To communicate with you, send service and security messages, support the services you use and manage communication preferences. |
| Account and security details | Password and security credentials, multi-factor authentication settings, recovery codes, login records, account status and security events. | To authenticate you, protect your account, prevent misuse and keep the platform secure. |
| Session and device information | Session identifiers, IP address, browser or device information and information about the service you signed into. | To keep you signed in, support session management, help you manage active sessions and detect suspicious activity. |
| Preferences and consents | Marketing preferences, communication choices, consent records, objections and suppression records. | To respect your choices, manage communications and demonstrate compliance with data protection and electronic marketing rules. |
| Audit and operational records | Records of security-sensitive actions, account changes, consent changes and administrative actions. | To investigate issues, respond to incidents, maintain security and meet legal or regulatory obligations. |
We do not store full card numbers or bank account details. Card payments are processed by our payment provider, and full card details do not reach or remain in our platform storage.
3.2 Automatically collected information
When you use ITFC Women digital services, we may automatically collect information such as your IP address, browser type, operating system, pages visited and cookie identifiers. More information about cookies and similar technologies is set out in Section §8.
4. How we use your information
Under UK data protection law, we must have a lawful basis for using your personal data. The table below explains the main purposes for which we use personal data and the lawful basis we rely on.
Where we rely on legitimate interests, our interests include keeping our services secure, administering and supporting the platform, preventing misuse, maintaining accurate records, and sending relevant service-related communications where permitted by law. We only rely on legitimate interests where we have considered your rights and interests.
| Purpose | Legal basis |
|---|---|
| Creating and operating your account; authenticating you; issuing sign-in tokens to ITFC Women services so you do not have to re-enter your password on each service. | Contract |
| Keeping your account secure — multi-factor authentication, account lockout after repeated failed logins, per-IP rate limiting, session management, and our in-service security monitoring. | Legitimate Interests your interest and ours in a secure service. |
| Sending transactional and security communications (for example: password changes, new sign-ins from a new device, deletion confirmations, material changes to this policy). | Contract; Legitimate Interests. Legal obligation where required |
| Sending you service-related marketing about the ITFC Women product(s) you use — for example event information, renewals and similar offers from the same product. These messages may also include brief contextual references to other ITFC Women products (for example, a link to the club shop inside a match-day email). | Legitimate Interests where permitted by electronic marketing rules and subject to your right to object at any time |
| Sending you general marketing communications — for example newsletters, cross-product promotions and partner offers — that go beyond the products you use. | Consent and subject to your right to, withdrawable at any time. |
| Providing the services you request from ITFC Women products — for example buying a ticket, booking parking, ordering food — with the minimum account information each product needs to identify you. | Contract. |
| Preventing abuse of our services — detecting credential stuffing, blocking bots, rate-limiting attackers, and investigating suspicious activity. | Legitimate Interests. |
| Keeping an audit record of security-sensitive actions. | Legitimate Interests; Legal Obligation. |
| Responding to requests you make under data protection law, including subject access and erasure requests. | Legal Obligation |
| Retaining a record that you have opted out of, or objected to, marketing, after you withdraw consent, exercise your right to object, or delete your account, so that we can prove we should not contact you. | Legal Obligation |
| Retaining financial and payment records for the period required by UK financial and tax law. | Legal Obligation. |
| Disclosing information to law enforcement, regulators or courts where we are required to do so. | Legal Obligation. |
5. How your information is shared within our services and with others
5.1 Inside our services
When you sign into any of our services using your account, your core account information (name, email address) is provided to that service to identify you. Each service only receives the information necessary for its function. For example, a food and beverage service does not receive your postal address, as it is not required for that service. Each product then keeps a local mirror of those details, kept in step with the Account Management service by signed system-to-system updates. No product ever holds your password or your multi-factor-authentication secret — those remain only with the Account Management service.
5.2 Cross-brand separation
Your data is never shared between different clubs or organisations. Your ITFC Women account is entirely separate from any accounts you may hold with other clubs or venues using similar services operated by HotLizard Limited.
5.3 Outside our services
We share personal data only where necessary to provide, support and protect ITFC Women digital services, comply with the law, or administer ITFC Women’s services. This may include sharing personal data with the following categories of recipient:
- Platform and technology providers — including HotLizard Limited, which provides and operates the digital services platform on behalf of ITFC Women.
- Hosting and infrastructure providers — to host, secure and maintain the platform.
- Payment providers — to process payments, reconcile transactions and issue refunds
- Communications providers — to support SMS, service, security or transactional communications where needed.
- Mobile wallet providers — where tickets, passes or similar items are issued to mobile wallet services.
- Delivery partners — where merchandise or other items need to be delivered.
- Professional advisers, regulators, law enforcement, courts and other authorities — where required by law or necessary to protect legal rights.
- Legal and regulatory — law enforcement, regulators, or other parties where we are required by law, or where we need to protect our legal rights. Every such disclosure is logged.
- Official sporting authorities or venue/safety bodies — where required for competition administration, venue access, safety or security.
We do not sell, rent or trade your personal information to third parties for their marketing purposes.
5.4 International transfers
Some of our service providers may process personal data outside the UK. Where this happens, we ensure that appropriate safeguards are in place as required by UK data protection law, such as relying on UK adequacy regulations, the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or another lawful transfer mechanism.
6. How we protect your information
ITFC Women is committed to protecting your personal data and requires HotLizard Limited, as the platform provider acting on our behalf, to apply appropriate technical and organisational security measures.
These measures include secure connections, password and authentication protections, multi-factor authentication, account lockout and rate limiting, session management, access controls for staff, monitoring and logging of security-sensitive actions, and secure communication between ITFC Women digital services.
We review our security measures and update them where appropriate.
You should keep your login details confidential and contact us promptly if you believe your account has been accessed without permission.
Although we make every effort to protect your personal information, no online service or method of electronic storage can be guaranteed to be completely secure.
7. How long we keep your information
We keep your personal data only for as long as is necessary for the purposes it was collected for, or for as long as the law requires.
| Data | Retention period |
|---|---|
| Your account record | For as long as your account remains in use. If you do not sign in for 24 months we will contact you and, if you do not re-engage within 30 days, we will close the account. |
| Sign-in history | 90 days from the date of each sign-in. |
| Active sessions | Automatically expire after a period of inactivity; you can revoke sessions at any time in your profile. |
| Security audit log | 6 years. |
| Subject access export bundle download link | 7 days from issue, after which the bundle is automatically deleted. |
| Deletion request during the grace period | 14 days (see Section §9). |
| Financial and transaction records | 7 years (UK financial and tax law). |
| Record that you have opted out of, or objected to, marketing ("suppression record") | Retained indefinitely, even after you close your account, so that we can prove we should not contact you. Applies whether you withdrew a consent or exercised your right to object to service-related marketing sent under our legitimate interests. |
We may keep personal data for longer where this is required by law, needed to resolve disputes, enforce our terms, prevent fraud or misuse, or establish, exercise or defend legal claims. Where we no longer need personal data, we delete it or anonymise it.
8. Cookies and similar technologies
We use cookies and similar technologies on https://itfcwomen.solelysecured.com to provide and protect our service and, with your permission, to understand how it is used and to personalise content. We group cookies in four categories:
- Strictly necessary — required for the service to work at all (for example, keeping you signed in, protecting forms against attack, remembering which Brand's site you are on). These are always set.
- Functional — remember your preferences and make the service easier to use. Set only with your consent.
- Analytics — help us understand how the service is used, so we can improve it. Set only with your consent.
- Marketing — help us understand the effectiveness of our communications and, where applicable, deliver relevant advertising. Set only with your consent.
On your first visit you will see a cookie banner where you can accept all, reject all, or choose your preferences. You can change your choices at any time from our Cookie Preferences page, reachable from every footer. Your choices are remembered and applied across all ITFC Women services.
9. Your rights
You have rights under UK data protection law. Many of these can be exercised through your ITFC Women account or by contacting us using the details in Section §1.
- Right of access — request a copy of the personal data we hold about you. You can trigger this from your profile; you will receive a signed download link to a machine-readable export covering your account data and data from every ITFC Women product you have used.
- Right to rectification — correct your account details on your profile.
- Right to erasure — you can request deletion of your ITFC Women account. If you request account deletion, this relates to your ITFC Women account across the participating digital services you use. We operate a 14-day grace period during which you can cancel the request. If you do not cancel, we will delete or anonymise your account and ask the relevant ITFC Women digital services to do the same, except where we need to keep limited information for legal, financial, operational, security or suppression purposes.
- Right to restrict processing — ask us to limit how we use your personal data while a query is being resolved.
- Right to data portability — the subject access export is provided in a structured, machine-readable format.
- Right to object — object to processing based on legitimate interests. Where the processing is for direct marketing, your right to object is absolute — we will stop, with no balancing test. You can also withdraw any marketing consent you have given. Both actions are available per channel and per product stream directly from your profile at https://itfcwomen.solelysecured.com.
- Right to withdraw consent — for anything we do on the basis of your consent, you can withdraw that consent at any time. Withdrawing consent does not affect the lawfulness of processing we carried out before you withdrew it.
- Rights in relation to automated decision-making and profiling — you have the right not to be subject to solely automated decisions that have legal or similarly significant effects on you. ITFC Women does not make such decisions about you. Automated processing that affects access to the service is limited to security-related measures, such as account lockout after repeated failed sign-in attempts, rate limiting and bot detection.
There is normally no charge for exercising any of these rights.
10. Marketing communications
We operate two separate marketing streams. They rely on different legal bases, and each is managed independently in your communications preferences on your ITFC Women account You can stop either stream at any time without affecting the other, and without affecting service and security messages.
We may use basic email segmentation, such as selecting users who have used a particular service or bought a particular type of product, to send relevant service-related communications or marketing where permitted by law. We do not use this to make solely automated decisions about you that have legal or similarly significant effects.[
10.1 Service-related marketing (legitimate interests)
When you buy from a ITFC Women website, or create an account on one, we may send you messages about similar matters from that same product — for example, upcoming fixtures, season-ticket renewals, related hospitality offers, and similar. We rely on our legitimate interests to send these communications where permitted by electronic marketing rules, including the “soft opt-in” for similar products and services. You can object to these messages at any time.
You do not need to opt in to receive these messages, but you have an absolute right to object to them at any time. You can do this by:
- Using the "Stop these" controls in your communications preferences at https://itfcwomen.solelysecured.com, per product and per channel (email, SMS, post, phone).
- Clicking the unsubscribe link in any such message.
- Contacting us using the details in Section §1.
Within a service-related marketing message, we may include brief, contextual references or links to other ITFC Women products — for example, a match-day email may include a link to the club shop so you can order from it before attending the fixture. These incidental references do not create a separate marketing stream: if you object to service-related marketing for a product, you will stop receiving those messages entirely, including the cross-product references inside them.
10.2 General marketing (your consent)
Marketing that goes beyond the products you already use — for example our newsletter, cross-product promotions, and third-party partner offers — is sent only where you have given your separate, consent for the relevant communication channel. You can withdraw that consent at any time in your communications preferences at https://itfcwomen.solelysecured.com or by using the unsubscribe link in any such message.
10.3 Service and security communications
Stopping marketing of either kind does not affect service and security communications such as sign-in alerts, password-change confirmations, order confirmations, important account notifications, or material updates to this policy. We send these under Contract or Legal Obligation and cannot turn them off while your account is open.
10.4 Brand isolation
Your communications preferences apply to your ITFC Women account only. If you also hold an account with another club or venue whose services are operated on the same platform by HotLizard Limited, your preferences and personal data there are held and managed entirely separately from ITFC Women. A marketing objection or consent set on one Brand never transfers to another.
10.5 Suppression record
If you withdraw consent, object to service-related marketing, or delete your account, we keep a minimal record of that fact (your email address and phone number, flagged as suppressed, with the stream and the date) so that we do not contact you by mistake in the future. This suppression record is kept indefinitely — see Section §7 — and applies equally whether the suppression arose from a withdrawn consent or an exercised right to object.
11. Children
ITFC Women digital accounts are not available to children under the age of 13. You must be 13 or older to create your own account. Where we collect your date of birth, we use it only to check that this age requirement is met.
If you are a parent or guardian, you may use your own account to buy tickets or products for a child in your care. In that case, the products are issued through your account, and you remain responsible for the account.
We do not knowingly market products or services to users aged 13–17, and we do not allow children under 13 to create their own account. If we become aware that we hold a standalone account for a child under 13, we will close it and delete or anonymise the personal data unless we need to keep limited information for legal or safeguarding reasons.
12. Security incidents
If a security incident occurs that affects your personal data, ITFC Women — in its role as Data Controller — is responsible for assessing the incident and, where required under by UK data protection law, notifying the Information Commissioner's Office and, where the incident is likely to result in a high risk to your rights and freedoms, notifying you HotLizard Limited, as the platform provider acting on ITFC Women’s behalf, will support ITFC Women in identifying, investigating and responding to relevant incidents.
13. Complaints
If you are unhappy with how we have handled your personal information, please contact us using the details in Section §1 so that we can try to resolve the issue.
You also have the right to lodge a complaint with the UK's data protection supervisory authority, the Information Commissioner's Office (ICO):
Website: https://ico.org.uk/concerns/Telephone: 0303 123 1113
14. Changes to this policy
We may update this Privacy Policy from time to time to reflect changes in our practices, our services or the law. If we make material changes we will notify you through the relevant ITFC Women digital service, by email, or both. Minor changes are indicated only by an updated "Last updated" date at the top. The policy in force at the time of each previous publication is retained and accessible at https://itfcwomen.solelysecured.com/privacy/versions.