Privacy Policy
GDPR-Compliant Privacy Notice — Chat Do® Mobile Application
Version 1.0 | Effective: May 2026
Chat Do Limited | Company No. 16767864 | ICO Reg. ZC085027
1. Who We Are
Chat Do Limited (“Chat Do”, “we”, “us”, “our”) is a company registered in England and Wales (Company No. 16767864). We operate the Chat Do® mobile application and website at chatdo.co.uk. We are the Data Controller for all personal data processed through our platform and are registered with the Information Commissioner’s Office (ICO) under registration number ZC085027.
This Privacy Policy applies to all personal data collected through the Chat Do® app, website, and any related services. It has been prepared in compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA 2018), and the ICO Age Appropriate Design Code (Children’s Code), informed by legal advice from O Tse & Co. Limited (SRA 8002050).
Contact us: hello@chatdo.co.uk
2. What Chat Do Is
Chat Do is a private digital record-keeping platform for grassroots football players aged 6 to 18 in the UK, and the coaches who work with them. Our purpose is to help every young player — regardless of ability level — record, celebrate, and reflect on their personal football journey in a safe, private, family-managed environment.
The platform enables players to document training sessions, match experiences, personal reflections, photos, videos, and season achievements. Coaches can create professional profiles, record training sessions, add players to their team, and issue digital Achievement Cards to recognise players. All content is private by default.
3. Account Types and Registration
3.1 Players Aged 6 to 15 (U6–U15) — Parent-Managed Accounts
All registration for players in this age group must be completed by a parent or legal guardian. The parent or guardian provides their own email address, selects the player’s age group and county, ticks a mandatory consent checkbox confirming parental responsibility, and completes OTP email verification. Under UK GDPR Article 8 and the Data Protection Act 2018 s.9, processing the personal data of a child under 16 requires consent by a person holding parental responsibility. Children in this age group cannot register directly or submit personal data independently.
3.2 Players Aged 16 to 18 (U16–U18)
Players aged 16 to 18 may register using their own email address and must accept these Terms and this Privacy Policy at registration. Parents and guardians are encouraged to remain involved in supervising the use of the platform by players in this age group.
3.3 Coaches
Coaches register independently using their own email address and must confirm via mandatory checkbox that they are an adult acting responsibly under Chat Do’s Community Guidelines. Coaches must be aged 18 or over.
3.4 Third-Party Login (Google, Facebook, and Apple OAuth)
Users may register or log in using Google, Facebook, or Apple (Sign in with Apple). Chat Do receives only the authentication token required to verify identity. We do not store third-party credentials. Use of third-party login is subject to that platform’s own privacy policy. Where third-party social login options are offered, Sign in with Apple is also provided in compliance with Apple App Store requirements.
4. Personal Data We Collect
4.1 At Registration
- First name
- County (selected from dropdown)
- Age group
- Email address (parent/guardian email for U6–U15; player’s own email for U16–U18; coach’s email for coaches)
- Password (stored in hashed form only — plain-text passwords are never stored or accessible)
- Account type (Player or Coach)
- For U6–U15: parent or guardian email address and a timestamped record of the consent checkbox confirmation
4.2 Profile Information (Provided Voluntarily)
Users may optionally add the following after registration. Each field can be individually set to Public or Private:
- Profile photograph (for under-16 accounts, uploaded by the parent or guardian)
- Last name initial (players) or full last name (coaches)
- Team name, playing position, shirt number
- Personal bio or statement
- For coaches: coaching certifications, organisation or club name, professional background
4.3 Football Journey Records
- Training session records: date, activity, personal reflections, what was learned, attached photos or videos
- Match records: match details and post-match reflections
- Season achievement records and milestones
- Digital Achievement Cards received from a coach
4.4 Device Permissions
The Chat Do app requests the following device permissions, used solely for the stated purpose:
- Camera: to allow the user to take a photo or video within the app for their profile or a record entry. Requested only when the user initiates this action. Not accessed in the background.
- Photo Library / Media: to allow the user to upload an existing photo or video from their device. Requested only when the user initiates this action. Not accessed in the background.
- Push Notifications: to send account-related alerts (e.g. OTP codes, Achievement Card received). Users may manage preferences at any time in device settings.
The app does not access the camera, photo library, microphone, or location data in the background under any circumstances.
4.5 Technical and Session Data
- OTP verification tokens (retained only for the validity period of the OTP, then deleted)
- Session tokens (to maintain login state where “Remember Me” is selected)
- OAuth authentication tokens (where third-party login is used)
5. Special Protections for Children
Chat Do is designed primarily for children and young people. We apply the highest available standards of child data protection, consistent with all 15 standards of the ICO Children’s Code (Age Appropriate Design: A Code of Practice for Online Services):
- Best interests of the child: the primary consideration in all design and data decisions.
- DPIA: a Data Protection Impact Assessment covering all processing that affects children has been conducted and is maintained.
- Age-appropriate application: children under 16 cannot register independently. All U6–U15 accounts are parent-managed with age verified at registration.
- Transparency: privacy information is provided in clear, age-appropriate language at each relevant point.
- No detrimental data use: children’s data is never used for advertising, commercial profiling, or in any way detrimental to their wellbeing.
- Community standards: Chat Do maintains and enforces published Community Guidelines.
- High-privacy defaults: all profile fields are Private by default. No information is visible to others unless actively changed by the user or their parent/guardian.
- Data minimisation: only the minimum data necessary for each function is collected.
- No data sharing: children’s data is not shared with third parties without a compelling, documented reason serving the child’s best interests.
- No geolocation: geolocation data is not collected from any user at any time.
- Parental visibility and control: parents managing U6–U15 accounts have full control at all times. Children are informed in age-appropriate language that their account is managed by their parent or guardian.
- No profiling: no algorithmic profiling, no content recommendation engines, no engagement-optimisation algorithms, no behavioural tracking.
- No nudge techniques: the platform does not use nudge techniques to encourage data sharing or privacy weakening.
- Online tools: clear tools are provided for users and parents to manage settings, exercise data rights, and report concerns.
6. Legal Bases for Processing (UK GDPR Article 6)
- Consent (Article 6(1)(a) and Article 8): for U6–U15 accounts, consent is given by the parent or legal guardian via mandatory checkbox at registration, recorded with a timestamp. For U16–U18 players, consent is given by the user.
- Contract Performance (Article 6(1)(b)): to create and operate the user’s account and deliver platform functionality.
- Legitimate Interests (Article 6(1)(f)): to operate, secure, and improve the platform, balanced carefully against the rights of users, with particular protection for children.
- Legal Obligation (Article 6(1)(c)): to retain records required by applicable law including safeguarding records.
7. How We Use Personal Data
- To create and manage user accounts
- To enable players to build and maintain their personal football profile and journey records
- To enable coaches to log training sessions and issue digital Achievement Cards
- To send OTP verification codes and password reset emails
- To maintain session authentication where “Remember Me” is selected
- To support third-party OAuth login where selected
- To maintain records required for safeguarding and legal compliance
We will never sell personal data or use it for advertising.
8. Third-Party Service Providers (Data Processors)
Chat Do uses carefully selected third-party service providers to operate the platform. All processors are engaged under GDPR-compliant Data Processing Agreements requiring equivalent data protection standards. Categories of processors used include:
- Cloud hosting and infrastructure providers
- Email delivery providers (for OTP verification and account notifications)
- Authentication service providers
- Secure payment processors (where applicable for any future paid features)
We do not use third-party advertising networks, behavioural analytics platforms, or any service that would share user data for commercial purposes. Specific processor names are available on request at hello@chatdo.co.uk.
9. Privacy Controls and Default Settings
Every field within a user’s profile can be individually set to Public or Private. All fields are Private by default. Users (or parents/guardians for under-16 accounts) can update settings at any time within the app.
10. Achievement Cards and External Sharing
Coaches may create and award digital Achievement Cards to players as positive recognition. Players (or their parents/guardians for under-16 players) may choose to share Achievement Cards to external platforms such as WhatsApp, Instagram, or Facebook. This is entirely voluntary and initiated by the user or their parent/guardian. Chat Do accepts no responsibility for the privacy practices of external platforms. Parents of under-16 players are responsible for authorising any external sharing.
11. Data Sharing
We do not sell or share personal data for commercial purposes. Data is shared only:
- With third-party service providers under GDPR-compliant Data Processing Agreements (as described in Section 8)
- With Google, Facebook, or Apple where the user selects third-party login
- With law enforcement, Ofcom, the ICO, or child protection authorities where required by law or in the interests of child safety
Children’s personal data is not shared with any third party without a compelling, documented reason serving the child’s best interests.
12. Data Storage and Security
All personal data is stored securely within the UK and/or European Economic Area (EEA). Our security measures include:
- Password hashing — passwords are never stored in plain text
- OTP-based email verification for all new accounts and password resets
- Access controls preventing unauthorised access to user profiles and records
- Encryption of data in transit and at rest
- Regular security reviews and assessments
13. Personal Data Breach Procedure
In the event of a personal data breach that poses a risk to the rights and freedoms of users, Chat Do will comply with all legal obligations under UK GDPR, including:
- Notifying the ICO within 72 hours of becoming aware of the breach, where required
- Notifying affected users without undue delay where the breach is likely to result in a high risk to their rights and freedoms
- Taking immediate steps to contain the breach and mitigate harm
We maintain an internal incident response procedure for data breach detection, reporting, and remediation.
14. Content Moderation
Chat Do actively moderates content on the platform to protect users, particularly children. Moderation may include a combination of automated detection tools and human review. Users may report concerns or harmful content at any time by emailing hello@chatdo.co.uk. All reports are acknowledged within 48 hours.
15. Account Deletion and Data Retention
Users (and parents/guardians on behalf of under-16 players) may request account deletion at any time:
- From within the app: Account Settings > Delete Account
- By email: hello@chatdo.co.uk
Upon deletion, all personal data associated with the account is permanently deleted, except where retention is required by law. Retention periods:
- Active account data: retained while the account is active
- OTP and verification tokens: deleted immediately upon use or expiry
- Session tokens: deleted upon logout or session expiry
- Post-deletion retention for legal purposes: minimum period required by law only, held securely and deleted as soon as the obligation expires
16. Your Rights Under UK GDPR
Parents and guardians may exercise the following rights on behalf of children under 16. Users aged 16 and over may exercise these rights directly:
- Right of Access (Article 15)
- Right to Rectification (Article 16)
- Right to Erasure (Article 17)
- Right to Restrict Processing (Article 18)
- Right to Object (Article 21)
- Right to Data Portability (Article 20)
- Right to Withdraw Consent at any time without affecting the lawfulness of prior processing
To exercise any right: hello@chatdo.co.uk. Response within 30 days. Complaints to the ICO: ico.org.uk or 0303 123 1113.
17. Changes to This Policy
We will update this Privacy Policy to reflect changes in law, ICO guidance, or platform functionality. Registered users will be notified of material changes via the app or email before changes take effect. The latest version is always at https://portal.chatdo.co.uk/app-privacy.
18. Contact
Chat Do Limited | hello@chatdo.co.uk | Company No: 16767864 | ICO Reg: ZC085027