Skip to main content

Privacy, GDPR & Data Retention Policy

Giovanni avatar
Written by Giovanni
Updated yesterday

This policy outlines how BMABA CIC ("we", "us", "our") collects, uses, stores, and protects personal data across all BMABA-owned, operated, and hosted platforms, including:

  • bmaba.org.uk

  • mybmaba.org.uk

  • MyBMABA App

  • Any associated subdomains, APIs, portals, or digital services under our control.

We are committed to safeguarding the privacy and personal data of all users in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Who We Are

BMABA CIC (registration number 10676965) is a registered community interest company acting as a governing and licensing body for martial arts in the UK. We operate a range of platforms to support our members, instructors, and the wider martial arts community. We are the data controller for the purposes of this policy.

2. What Information We Collect

We collect the following categories of personal data through our websites, platforms, mobile applications, and support systems:

a. Standard User Data

Whilst we may not collect or store any/all of this information, we may, where submitted to us by you or a person with authority to transmit data on your behalf (i.e: an employer or lead instructor etc) hold;

  • Name

  • Email address

  • Contact number

  • Address

  • IP address

  • Login credentials (encrypted)

  • Technical/browser/device usage information

b. Instructor and Club Workforce Data

In addition to standard user data, we collect and retain the following data from instructors and workforce personnel specifically and exclusively to fulfil our obligations as a responsible governing body;

  • Date of birth

  • Martial arts styles practised and grades held

  • Club affiliations

  • DBS status and certificate details

  • First Aid qualification status

  • Safeguarding training and certificates

  • Instructor insurance status

  • Proofs of identity

  • Relevant compliance and verification documentation

3. How We Use Your Data

We process personal data for the following purposes:

a. Membership and account services
To deliver membership-related services and grant access to our systems and platforms, including processing applications, managing subscriptions, issuing certifications, and supporting instructor or club-related activity.

b. Safeguarding and regulatory compliance
To meet our obligations under safeguarding, licensing, and regulatory frameworks, including verifying qualifications, managing DBS records, and enforcing codes of conduct across our instructor and club network.

c. Platform functionality
To operate and maintain services such as Club Colours, Regulation Ready, and the Club Manager platform. This includes student tracking, compliance dashboards, verification systems, and embedded tools provided via our websites and apps.

d. Insurance and risk management
To administer insurance eligibility and claims support, manage liability-related documentation, and maintain accurate risk records in line with our broker and underwriter requirements.

e. Communications and updates
To send essential service communications, such as renewal notices, operational announcements, platform updates, and policy changes. This excludes promotional or marketing communications unless separately consented to.

f. System performance and analytics
To monitor platform usage, detect technical issues, improve service delivery, and inform future development through aggregate reporting and analytics (using tools such as Google Analytics, where applicable).

g. Legal and statutory requirements
To comply with legal obligations such as safeguarding referrals, insurance recordkeeping, regulatory audit trails, and data protection laws.

4. Lawful Basis for Processing

Under the UK General Data Protection Regulation (UK GDPR), we must identify a lawful basis for processing personal data. BMABA CIC processes data under one or more of the following lawful grounds:

a. Contractual Necessity

We process personal data to enter into, or fulfil, a contract — for example, when:

  • You register as a member, instructor, or club with BMABA CIC

  • You access our platforms (e.g. MyBMABA or the MyBMABA App)

  • We provide services such as insurance, certification, compliance verification, or platform functionality

Processing is necessary to deliver the services you have requested and to manage your membership effectively.

b. Legal Obligation

We are required to process certain categories of personal data to comply with legal and statutory obligations, particularly in areas such as:

  • Safeguarding children, young people, and vulnerable adults

  • Compliance with DBS regulations, duty of care standards, and national child protection frameworks

  • Insurance audit trails and recordkeeping

  • HMRC, company law, or data protection reporting requirements

In these cases, processing is not optional and cannot be overridden by objection or withdrawal of consent.

c. Legitimate Interests

We may process data where it is necessary for our legitimate interests — or those of a third party — provided these interests are not overridden by your rights or freedoms. This includes:

  • Ensuring the safe, lawful, and professional operation of martial arts instruction in the UK

  • Monitoring compliance with safeguarding, grading, and licensing standards

  • Preventing misuse of BMABA CIC’s services, credentials, or regulatory status

  • Managing internal training, audits, risk assessments, or quality control

  • Communicating operational updates to existing members

We conduct legitimate interest assessments (LIAs) where required to ensure this basis is applied fairly and transparently.

d. Consent

In certain circumstances, we will ask for your clear and explicit consent to process your data. This applies when:

  • You opt into receiving marketing communications

  • You allow us to use optional analytics tools (e.g. performance cookies)

  • You submit data through optional forms or participate in surveys

You have the right to withdraw consent at any time, and doing so will not affect the lawfulness of processing based on consent before withdrawal.

5. Data Retention

Due to our organisation’s role in safeguarding, licensing, and insurance provision, we apply extended data retention protocols as follows:

a. General Website and App Users

  • Data is retained for up to 2 years after last activity for inactive accounts unless earlier deletion is requested.

b. Instructors and Club Workforce

  • Basic data, including full name, date of birth, styles taught, and grades held, is retained indefinitely for safeguarding and regulatory audit purposes however most data is systematically cleansed after 7 years post-membership.

  • Key licensing and compliance data, including:

    • DBS status

    • First Aid qualification

    • Insurance status

    • Safeguarding training

    • Other regulatory documents

    is retained for a minimum of 7 years following membership expiration or account closure. This is essential for:

    • Retrospective insurance claims or inquiries

    • Safeguarding audits and regulatory checks

    • Compliance with professional and legal obligations

Any personally identifiable information post-expiry of membership is only retained on our central CRM and is not shown or held within external systems, such as MyBMABA. It is at this point considered archived.

6. Data Sharing

We do not sell, lease, or share personal data with third parties for marketing purposes under any circumstances.

However, to fulfil our legal, safeguarding, licensing, and operational obligations as a governing body, we may share personal data with trusted third parties under strict conditions. These include:

  • Insurers and underwriters, to fulfil our regulatory and risk management duties, including the administration of insurance policies, claims, and compliance audits.

  • Regulatory authorities and statutory bodies, such as the Disclosure and Barring Service (DBS), the Police, Local Authority Designated Officers (LADOs), and safeguarding partners, where disclosure is required by law or in the interest of public protection.

  • IT and infrastructure service providers, such as secure cloud hosting or CRM vendors, who support our platforms. These providers are bound by Data Processing Agreements (DPAs) and may only process data under our direct instruction.

  • Legal representatives or courts, when required to respond to legal claims, enforce contractual terms, or defend our legal rights.

Data Processing Controls

We take the following measures to ensure your data is protected when shared:

  • All third parties acting on our behalf are classified as data processors and are contractually bound to comply with UK GDPR and our specific data handling requirements.

  • Where data is shared with independent data controllers (e.g. insurers or regulators), we conduct appropriate due diligence and share only what is necessary for the lawful purpose.

  • Data minimisation is applied at all times — we share only the specific data required for the defined task or obligation.

  • Secure transfer protocols (e.g. encryption, authenticated access) are used to protect data in transit and at rest.

We never authorise any third party to use your data for their own commercial purposes and regularly review third-party compliance as part of our data governance programme.

7. Data Security

We are committed to ensuring the confidentiality, integrity, and availability of personal data through a combination of robust technical and organisational safeguards. Our approach is designed to prevent unauthorised access, data loss, misuse, or compromise across all BMABA-owned systems and services.

Technical Measures

We implement a layered security model across all platforms, including:

  • End-to-end encrypted communications via HTTPS/SSL across all web-based systems, APIs, and mobile apps.

  • Secure login systems with enforced strong password policies, session management, and multi-factor authentication (2FA) for administrators and staff.

  • Role-based access controls (RBAC) to ensure only authorised personnel can access personal or sensitive data, with permissions assigned based on the principle of least privilege.

  • Server-side firewalls and intrusion detection/prevention systems (IDS/IPS) to monitor, block, and respond to suspicious activity in real time.

  • Secure storage of uploaded documents, including compliance records (e.g. DBS, safeguarding, ID), using encrypted file systems with restricted access and audit logs.

  • Regular patching and system updates to prevent vulnerabilities and maintain up-to-date protection across all servers and software components.

  • Penetration testing and vulnerability scanning are conducted periodically, either internally or via trusted third parties.

Organisational Measures

To supplement our technical controls, we maintain a strong internal governance framework:

  • Cyber Essentials certification is maintained to demonstrate our commitment to core cyber hygiene and security principles.

  • All staff and contractors undergo confidentiality agreements and data protection training, with additional safeguarding and compliance training for relevant roles.

  • Internal access to personal data is logged, monitored, and reviewed, and all data-handling activities are subject to audit trail tracking where applicable.

  • Data protection policies and procedures are reviewed regularly and updated in line with changes to legislation or operational risk.

  • In the unlikely event of a data breach, we have a documented incident response plan to ensure prompt notification (within 72 hours where required) and appropriate mitigation steps.

Third-Party and Cloud Infrastructure

All cloud-based infrastructure and third-party systems used by BMABA CIC are:

  • Hosted within the UK or EEA unless explicitly stated and subject to adequate data protection safeguards.

  • Evaluated for GDPR compliance, and covered by appropriate Data Processing Agreements (DPAs).

  • Regularly reviewed for security posture, backup protocols, and compliance with recognised standards (e.g. ISO 27001 where applicable).

8. Your Rights

Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, you have the following rights regarding your personal data:

  • Access – You have the right to request access to the personal data we hold about you.

  • Rectification – You can ask us to correct inaccurate or incomplete information.

  • Erasure – You have the right to request erasure of your personal data, but this is subject to important legal exceptions (see below).

  • Restriction or objection – You may object to, or request restriction of, certain types of data processing.

  • Withdraw consent – Where we rely on your consent for processing (e.g. for marketing), you can withdraw it at any time.

  • Complain – You have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at www.ico.org.uk.

To exercise any of your rights, please contact our office.

Important Safeguarding & Insurance Consideration

Due to the nature of our work as a safeguarding and licensing body, we are legally and contractually required to retain core verification data for a minimum of seven (7) years, even after your membership or registration has expired. This includes, but is not limited to:

  • Your full name

  • Date of birth

  • Your club/instructor affiliation

  • The status and outcome of safeguarding and regulatory checks such as:

    • DBS verification

    • First Aid qualification

    • Instructor insurance

    • Safeguarding certification

    • Identity confirmation

    • Other risk-related records required for licensing or retrospective claims

These data are retained to:

  • Fulfil retrospective insurance and safeguarding inquiries

  • Comply with our legal and regulatory obligations

  • Protect vulnerable groups and maintain our safeguarding integrity

Where you request erasure of your personal data before the expiry of this lawful retention period, we will instead pre-scrub all non-essential data, in line with our standard data minimisation procedures. This ensures that:

  • Any non-essential or supplementary data (e.g. address, contact details, uploads, internal notes) is deleted or anonymised.

  • Only the minimum data necessary for safeguarding, legal, or insurance purposes is retained.

9. Cookies & Analytics

Like most modern websites and applications, BMABA CIC uses cookies and similar tracking technologies across our platforms, including bmaba.org.uk, mybmaba.org.uk, and the MyBMABA App, to improve user experience, monitor usage, and ensure platform security.

What Are Cookies?

Cookies are small text files placed on your device (computer, tablet, or smartphone) when you visit or interact with our websites or platforms. They enable core functionality and allow us to understand how our services are used.

Why We Use Cookies

We use cookies and analytics tools for the following purposes:

  • Essential Functionality
    To enable login, navigation, and secure access to your member account, dashboard features, and key services. These cookies are required for our platforms to function correctly.

  • Performance & Analytics
    To collect aggregated usage data (e.g. page visits, session duration, error reports) through trusted services such as Google Analytics. This helps us monitor and improve the performance, accessibility, and reliability of our websites and apps.

  • User Experience
    To remember user preferences (e.g. interface settings, cookie consent choices), reduce load times, and provide a more personalised experience.

Cookie Consent & Control

Upon your first visit to our websites or use of our apps, you will be presented with a cookie consent banner or control tool. You may:

  • Accept or decline non-essential cookies

  • Change your preferences at any time via the on-site cookie control tool

  • Manage or block cookies through your browser settings

Please note that disabling essential cookies may affect the functionality and performance of our platforms, including login access and secure account features.

Third-Party Tools

We may use the following third-party analytics or performance tools, all of which are subject to appropriate data processing agreements:

  • Google Analytics (for usage monitoring)

  • Cloudflare or other providers (for traffic routing and security)

These services may place their own cookies in accordance with their privacy policies. We take care to ensure all third-party tools comply with UK GDPR and the Privacy and Electronic Communications Regulations (PECR).

10. International Data Transfers

BMABA CIC aims to store and process all personal data within the United Kingdom (UK) or the European Economic Area (EEA) wherever reasonably possible.

However, some of our systems and service providers may operate or store data in countries outside the UK or EEA. In such cases, we ensure that appropriate safeguards are in place to maintain an equivalent level of protection for your personal data.

These safeguards include, where applicable:

  • Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner’s Office (ICO) or the European Commission

  • UK International Data Transfer Addendums, where required

  • Vendor due diligence and data protection impact assessments

  • Binding Corporate Rules, certifications, or other legally recognised mechanisms of protection

We work only with third-party providers who demonstrate compliance with UK GDPR standards and who have robust data security protocols in place.

We do not transfer data internationally without ensuring that your rights and freedoms remain fully protected, and that all processing complies with this Privacy Policy and applicable legislation.

11. Policy Updates

We may update this policy from time to time to reflect changes in legal requirements or service operations. Significant changes will be communicated via platform notices or direct email.

Did this answer your question?