Privacy Policy
Last updated: 22 May 2026
This Privacy Policy explains how Theatre Stack Ltd (trading as TheatreStack; "we", "us", "our") collects, uses, and protects personal data when you use the TheatreStack platform (the "Service").
We are registered with the Information Commissioner's Office (ICO). ICO registration number: TBC. Registered address: TBC. Contact email: [email protected].
Contents
- Scope of this policy
- Our role: controller and processor
- What personal data we collect
- How we use personal data (controller purposes)
- Lawful bases for processing
- Special category and criminal records data
- Children's personal data
- Who we share data with
- Where we store your data and international transfers
- How long we keep data
- Your rights under UK GDPR
- Cookies
- Security
- Changes to this policy
- Contact us and complaints
1. Scope of this policy
This policy covers personal data that we (TheatreStack) process as a controller — that is, data we collect for our own purposes, such as operating accounts, billing, and improving the Service.
Where your society (organisation) uploads data about its members, volunteers, children, or other individuals into TheatreStack, that organisation is the controller and we act as a processor on their instructions. In that situation, the organisation's own privacy notice covers how that data is used. See Section 2 for more detail.
2. Our role: controller and processor
When we are a controller
We are a controller when we process data for our own business purposes, including:
- Creating and managing your TheatreStack account;
- Billing and subscription management;
- Providing customer support;
- Sending service-related communications (e.g. password resets, billing notices);
- Analysing aggregate, anonymised usage to improve the Service;
- Complying with our own legal obligations.
When we are a processor
When an organisation (your society or committee) uploads or records personal data about its members, participants, children, chaperones, or other individuals in TheatreStack, the organisation is the controller and we are the data processor acting on its documented instructions.
This includes — but is not limited to — member profiles, child participation records, safeguarding incident reports, DBS and chaperone licence records, emergency contact details, and medical notes.
Organisations using TheatreStack for these purposes should publish their own privacy notice to members and participants that accurately describes their data processing activities. Our Data Processing Agreement (DPA) sets out the obligations that apply in the processor relationship.
3. What personal data we collect
Data you provide directly
- Account registration: name, email address, and a password (hashed) or passkey.
- Profile information: display name, photo, contact details (optional).
- Billing information: billing name, address, and payment details (processed by our payment provider; we do not store full card numbers).
- Communications: messages you send to our support team or via in-platform contact forms.
- Cookie preferences: your consent choices recorded when you interact with the cookie banner.
Data we collect automatically
- Usage data: pages visited, features used, session duration, errors encountered — collected to operate and improve the Service. This is linked to your account where you are logged in, or to a session identifier for anonymous visitors.
- Log data: IP address, browser type, operating system, referring URL, and timestamps — collected in server and application logs for security and performance purposes.
- Cookies and similar technologies: see Section 12 and our Cookie Policy.
Data organisations record about their members and participants (processor data)
When an organisation uses TheatreStack, its administrators may record personal data about their members, performers, children, volunteers, and other individuals. This data is stored and processed on behalf of the organisation (as controller). Examples include:
- Member names, contact details, date of birth, and roles;
- Child profiles (name, date of birth, school details, parent/guardian contact);
- Safeguarding incident and case records;
- DBS check dates and reference numbers;
- Chaperone licence details;
- Medical notes and emergency contacts;
- Performance licence records;
- Attendance and session records.
We only process this data as instructed by the organisation. For queries about this data, please contact your society or organisation directly.
4. How we use personal data (controller purposes)
| Purpose | Data used | Lawful basis |
|---|---|---|
| Creating and managing your account | Name, email, password/passkey | Contract |
| Authenticating you securely | Email, session data, MFA credentials | Contract |
| Processing subscription and payment | Billing name, address, payment token | Contract |
| Sending essential service emails (e.g. password resets, billing alerts) | Email address | Contract / Legitimate interests |
| Providing customer support | Name, email, support messages | Contract / Legitimate interests |
| Security monitoring and fraud prevention | IP address, session data, log data | Legitimate interests |
| Analytics and product improvement (anonymised/aggregated) | Usage data, log data | Legitimate interests |
| Analytics cookies (with your consent) | Cookie identifiers, page views | Consent (PECR) |
| Compliance with legal obligations (e.g. tax records) | Billing and account data | Legal obligation |
| Responding to data subject requests | Account data and request details | Legal obligation |
5. Lawful bases for processing
UK GDPR requires us to have a lawful basis for processing personal data. The bases we rely on are:
- Contract (Article 6(1)(b)): processing necessary to provide the Service you have signed up for.
- Legitimate interests (Article 6(1)(f)): processing for security, fraud prevention, product improvement, and service communications, where our interests do not override your rights.
- Legal obligation (Article 6(1)(c)): processing required by law, such as financial record-keeping.
- Consent (Article 6(1)(a)): for analytics or marketing cookies, and any other processing where we specifically ask for your consent.
6. Special category and criminal records data
Organisations using the safeguarding, chaperoning, and medical notes modules of TheatreStack may record special category personal data (within the meaning of Article 9 UK GDPR), including:
- Health data: medical conditions, medication, allergies, and emergency notes about children and adult members;
- Safeguarding records: incident reports, case notes, and referral decisions that may reveal health, sexual life, or other sensitive matters;
- Criminal records data: DBS check reference numbers and check dates.
We only process this data as a processor on the organisation's instructions. The organisation (as controller) is responsible for ensuring it has an appropriate lawful basis and (for special category data) a Schedule 1 condition under the Data Protection Act 2018 — typically the safeguarding of children and individuals at risk (DPA 2018, Schedule 1, Part 1, paragraph 18) or the employment/DBS processing condition (DPA 2018, Schedule 1, Part 1, paragraphs 1 and 6).
We implement additional technical controls for these data types, including access-scoped role permissions, and comprehensive audit logging of who views or exports safeguarding and medical records.
7. Children's personal data
TheatreStack is designed for use by amateur theatre societies that may involve child performers and participants. The platform includes features for managing child profiles, performance licences, chaperone ratios, and safeguarding compliance.
Children do not register for TheatreStack accounts directly. Children's personal data is entered by adult members or committee members of the organisation. The organisation is the controller of this data and is responsible for:
- Obtaining appropriate consent or other lawful basis from parents/guardians;
- Providing parents/guardians with appropriate privacy information;
- Ensuring access to children's records is appropriately restricted;
- Retaining children's data only as long as necessary.
We do not use children's personal data entered by organisations for our own marketing or analytics purposes.
As a responsible SaaS provider, we have implemented the following technical safeguards for children's data: role-based access controls; audit logging of access to child profiles and safeguarding records; separate data retention guidance aligned with Working Together to Safeguard Children 2023.
8. Who we share data with
We do not sell personal data. We may share data with:
Sub-processors
We use third-party services to help deliver the Service. Each sub-processor is subject to appropriate data processing agreements. Our current sub-processors include:
| Sub-processor | Purpose | Location |
|---|---|---|
| DigitalOcean | Infrastructure and hosting | United Kingdom (London) |
| Postmark | Transactional email delivery | United Kingdom (London) |
| Stripe | Payment processing and billing | United Kingdom (London) |
| DigitalOcean Managed Databases | Data storage | United Kingdom (London) |
| Google Analytics | Website analytics (consent required) | United Kingdom (London) |
We will update this list when sub-processors change.
Legal and regulatory disclosures
We may disclose personal data where required by law or court order, or to protect the safety of individuals (including in safeguarding situations where we believe there is a risk of serious harm).
Business transfers
If we sell or transfer our business or assets, personal data may be transferred as part of that transaction. We will notify affected users in advance where required.
9. Where we store your data and international transfers
The core TheatreStack platform — including member profiles, safeguarding records, documents, and the database — is hosted in the United Kingdom (London). Your sensitive records do not routinely leave the UK.
A small number of supporting services (for example, transactional email and payment processing) are operated by providers headquartered outside the UK. Where any personal data is processed or transferred outside the UK, we ensure an appropriate safeguard is in place as required by UK GDPR Chapter V — such as the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, or transfers to countries covered by UK adequacy regulations.
10. How long we keep data
We retain personal data only for as long as necessary for the purposes described in this policy, and in line with applicable legal obligations. Our standard retention periods are:
| Data type | Retention period | Reason |
|---|---|---|
| Account and profile data | Duration of subscription + 90 days after termination | To allow data export; then deleted or anonymised |
| Billing records | 7 years | HMRC financial record-keeping requirements |
| Server and application logs | 90 days | Security monitoring; then deleted |
| Cookie consent records | 3 years | To demonstrate compliance with PECR |
| Support communications | 3 years | To resolve disputes; then deleted |
| Safeguarding records (processor — guidance for organisations) | Until youngest involved child turns 25, or a minimum of 7 years — whichever is longer | Working Together to Safeguard Children 2023; statute of limitations |
| DBS check records (processor — guidance for organisations) | Up to 6 months after the check date | ICO guidance on DBS records |
| Child performance licence records (processor — guidance for organisations) | Duration of membership + 7 years (or until child turns 25) | Regulatory and legal obligations |
| Session and attendance registers (processor — guidance for organisations) | 7 years | Employment and safeguarding liability |
Guidance for organisations (processors): The retention periods above for safeguarding, DBS, and children's records are guidance we provide to organisations based on applicable UK law and statutory guidance. Organisations should apply these as a minimum and take their own legal advice on any specific obligations.
11. Your rights under UK GDPR
You have the following rights in respect of personal data that we hold as a controller. For data held by your organisation (as controller), please contact your society directly.
- Access (Article 15): You can request a copy of the personal data we hold about you.
- Rectification (Article 16): You can ask us to correct inaccurate or incomplete data.
- Erasure (Article 17): You can request deletion of your data in certain circumstances (e.g. where we no longer need it and you withdraw consent). We may need to retain some data for legal purposes.
- Restriction (Article 18): You can ask us to restrict processing in certain circumstances.
- Portability (Article 20): Where processing is based on consent or contract and carried out by automated means, you can request a machine-readable copy of your data.
- Objection (Article 21): You can object to processing based on legitimate interests.
- Withdraw consent (Article 7(3)): Where we rely on consent, you can withdraw it at any time.
- Automated decision-making (Article 22): You have the right not to be subject to solely automated decisions that have significant effects on you. TheatreStack does not use automated decision-making of this kind.
To exercise your rights, you can use the privacy settings in your TheatreStack account, or contact us at [email protected]. We will respond within one calendar month (extendable by two further months in complex cases). We may need to verify your identity before processing your request.
TheatreStack includes a built-in data request management tool. Logged-in users can submit access, erasure, and portability requests directly via Privacy settings.
12. Cookies
We use cookies and similar technologies on the TheatreStack platform. For full details, see our Cookie Policy.
You can manage your cookie preferences at any time via Cookie preferences. Strictly necessary cookies cannot be disabled as the Service relies on them.
13. Security
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:
- Encryption of data in transit (TLS) and at rest;
- Passkeys-first multi-factor authentication;
- Granular role-based access controls;
- Comprehensive audit logging, including access to safeguarding and sensitive records;
- Regular access reviews and least-privilege principles.
No system is completely secure. If you believe your account has been compromised, please contact us immediately at [email protected]. We will notify affected organisations without undue delay in the event of a personal data breach, as required by UK GDPR Article 33.
For more information, see our Security page.
14. Changes to this policy
We may update this Privacy Policy from time to time. We will post the updated version on this page and update the "Last updated" date. If changes are material, we will notify you by email or via an in-app notice. Continued use of the Service after changes take effect constitutes acceptance of the updated policy.
15. Contact us and complaints
For any privacy-related queries, to exercise your rights, or to report a concern, please contact:
Theatre Stack Ltd (trading as TheatreStack)
Email: [email protected]
Address: TBC
If you are not satisfied with how we handle your request, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
- Website: ico.org.uk/make-a-complaint/
- Phone: 0303 123 1113
- Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF