This policy explains what personal data Ludum Events collects, why we collect it, how we use it, and what rights you have. We've tried to write it in plain English. If anything is unclear, email us at [email protected].
1. Who we are
Ludum Events is a service provided by Ludum Ltd, a company registered in England and Wales, contactable at [email protected]. For the purposes of UK GDPR and the EU General Data Protection Regulation, Ludum Ltd is the data controller for the personal data we hold about organisers and visitors to ludumevents.com.
For coach, volunteer and competitor data uploaded by an event organiser into the Ludum Events platform, the organiser is the data controller and Ludum Ltd is a data processor acting on the organiser's instructions under a Data Processing Agreement (the standard DPA forms part of our Terms of Service).
2. What we collect
From organisers (account holders)
- Name, email address, and the name of the regatta or event you organise.
- Authentication metadata (login timestamps, IP address of last sign-in).
- Branding data you upload (logo, colour palette, sender name and email).
- Any messages you compose and send through the platform.
From coaches and volunteers (invited users)
- Name, email address, club affiliation(s), and (for coaches) a coaching licence number — uploaded by the organiser from the British Rowing BROE2 entry system or a CSV.
- Replies you send to organiser broadcasts, plus read-receipt timestamps.
- Browser push-notification subscription details, if you opt in.
- For volunteers: shift assignments and contact details collected at sign-up.
From competitors
- Name, age category, club, and crew assignment, imported from BROE2 by the organiser. Competitors do not have user accounts and we do not collect data from them directly.
From visitors to ludumevents.com
- Standard server logs (IP address, user agent, requested URL, timestamp) retained for 30 days for security and debugging.
- We do not run third-party analytics, advertising trackers, or session-replay tools on the marketing site.
3. Why we collect it
We use personal data to:
- Provide the Ludum Events service — sending and receiving communications between organisers, coaches and volunteers; populating dashboards; generating event collateral.
- Authenticate users via magic-link email (no passwords are stored).
- Send transactional emails (account confirmations, invitations, broadcast deliveries).
- Respond to support requests sent to us.
- Detect and investigate abuse, fraud, or technical faults.
- Comply with our legal obligations.
We do not use personal data for advertising, profiling, or sale to third parties. We do not train AI models on customer data.
4. Lawful basis under UK GDPR
| Activity | Lawful basis |
|---|---|
| Providing the service to organisers | Contract (Article 6(1)(b)) |
| Sending invites and broadcasts to coaches and volunteers | Legitimate interest (Article 6(1)(f)) — necessary for the safe operation of a sporting event |
| Push notifications to coaches | Consent (Article 6(1)(a)) — coaches opt in via browser permission |
| Security logs, fraud prevention | Legitimate interest (Article 6(1)(f)) |
| Tax and accounting records | Legal obligation (Article 6(1)(c)) |
5. Who we share it with
We share personal data only with the service providers we use to operate Ludum Events. Each is bound by a Data Processing Agreement that restricts what they can do with the data:
| Provider | Purpose | Region |
|---|---|---|
| Supabase | Database, authentication | EU (Frankfurt) |
| Vercel | Application hosting (app.ludumevents.com) | UK / EU edge |
| DigitalOcean | Marketing site hosting (ludumevents.com) | UK (London) |
| SendGrid | Transactional email delivery | USA |
| Cloudflare | Edge network and DDoS protection | Global |
We do not sell personal data. We do not share data with advertising networks. We may disclose data if compelled by a legally valid request from a UK or EU authority.
6. International transfers
Where personal data is transferred outside the UK or EEA (currently to SendGrid in the United States), the transfer is protected by the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, or the equivalent EU SCCs.
7. How long we keep it
- Organiser accounts: for as long as the account is active, plus 30 days after deletion.
- Event data (crews, competitors, messages): for the duration of the event plus 12 months, then permanently deleted unless the organiser exports or extends.
- Coach and volunteer accounts: until the relevant event ends, then converted to anonymised statistics; personal identifiers are removed within 30 days.
- Server logs: 30 days.
- Financial records: 7 years, as required by HMRC.
8. Your rights
Under UK and EU GDPR you have the right to:
- Access the personal data we hold about you.
- Rectify inaccurate data.
- Erase data we hold (subject to legal retention obligations).
- Restrict or object to processing.
- Portability — receive a machine-readable copy of your data.
- Withdraw consent where processing is based on consent.
- Lodge a complaint with the UK Information Commissioner's Office (ico.org.uk) or your local supervisory authority.
To exercise any of these rights, email [email protected]. We aim to respond within 30 days.
If you are a coach or volunteer whose data was uploaded by an event organiser, please contact that organiser first — they are the data controller for that data. If you cannot reach them, we will help.
9. Cookies
The marketing site (ludumevents.com) sets no cookies. Google Fonts is loaded directly from fonts.googleapis.com without cookies, in line with their privacy-friendly delivery option.
The application (app.ludumevents.com) sets:
- A session cookie issued by Supabase, used to keep you signed in. Strictly necessary; not used for tracking.
- A theme preference in localStorage, where applicable.
No third-party analytics or advertising cookies are set on either domain.
10. Security
We use industry-standard security practices including:
- HTTPS for all connections, with HSTS enforced.
- Database encryption at rest (Supabase Postgres with AES-256).
- Row-level security policies on all tenant data.
- Magic-link authentication (no password storage; no password reuse risk).
- Audit logs of every data import, send, and edit.
If you become aware of a security issue, please email [email protected] with the subject line "Security" and we will respond within one business day.
11. Changes to this policy
We may update this policy as the service evolves. Material changes will be notified to organisers by email at least 14 days before they take effect, and the "Last updated" date at the top of this page will change. Older versions are available on request.
12. Contact
Questions, requests, or anything else: [email protected].
Postal address available on request to the email above.