LayUp Privacy Policy
Effective date: [Insert on publication] Last updated: [Insert on publication]
Plain-English summary
This box is a plain-English summary of the formal policy below. The formal policy is the legally binding part.
- Who we are. LayUp Ltd, the company behind the LayUp sports court booking service. We are the data controller for your personal data when you use our service.
- What data we collect. Your name, email address, phone number, date of birth and address (where the venue requires them); your booking history; payment metadata (full card details are held by Stripe, not by us); emergency-contact details where you provide them; analytics and cookie data; and, for some venues, the login credentials you give us so we can book on your behalf.
- What we do with it. Mainly: provide you the booking service; communicate with you about your bookings; comply with our legal obligations; and improve our service. We only send marketing emails if you have opted in.
- Who we share it with. Venues you book with and the platforms they list on; our payment provider (Stripe); our email provider (Mailgun); our analytics provider (Google Analytics 4); our hosting providers (Vercel, Supabase, Cloudflare); and our AI service provider (OpenAI) for search features. We don't sell your data.
- What we do that you should know about. For some venues, we book courts for you by signing into the venue's own booking platform on your behalf — either using credentials you have given us, or by creating an account with the venue on your behalf using information you provide. We do this only with your explicit authorisation, and we explain it more fully in section 5 below.
- How long we keep your data. Different categories have different retention periods — see section 8. In broad terms: until you ask us to delete your account, plus a reasonable period for legal reasons.
- Your rights. You can ask us for a copy of your data, ask us to correct or delete it, object to certain processing, and more. See section 10.
- Contact us. Email
privacy@layupsport.com.
1. About this policy
1.1 This Privacy Policy explains how LayUp Ltd ("LayUp", "we", "us", "our") collects, uses and shares your personal data in connection with the LayUp service (the "Service"), and your rights in relation to that data.
1.2 This Privacy Policy is to be read together with our Terms and Conditions and our Cookie Policy.
1.3 LayUp Ltd is the data controller for the personal data described in this policy. Our registered office is at [Address] and our company number is [Number].
1.4 We are registered with the UK Information Commissioner's Office (ICO) under registration number [Number — to be obtained on incorporation].
1.5 We may update this Privacy Policy from time to time. The effective date at the top shows when it was last changed. If we make material changes we will give you reasonable notice (for example, by email or by a prominent notice on the Service).
2. The personal data we collect
We collect the following categories of personal data.
2.1 Information you give us when you sign up or book
- Name (first name, last name) and title
- Email address
- Phone number
- Date of birth
- Home address (line 1, town/city, county, postcode)
- Emergency-contact details (name, phone number, relationship) where you choose to provide them
- Booking details (court, time, sport, venue, participants where applicable)
- Marketing preferences (your opt-in / opt-out choices)
- Sports preferences (the sports you are interested in)
Some venues require additional information at the point of booking (for example, date of birth for age-verified facilities, or address for booking metadata). Where this is the case we will tell you which fields the venue requires before you confirm the booking.
2.2 Information collected automatically when you use the Service
- Device and browser data (browser type and version, operating system, screen size)
- IP address (used for security, fraud prevention and broad geographic analytics)
- Cookie and similar storage data (see the Cookie Policy for full details)
- Usage data (pages visited, features used, broad interaction patterns)
2.3 Information from third parties
- Payment confirmations from our payment processor (Stripe) — we do not receive or store your full payment card details
- Booking confirmations from venues and from third-party booking platforms (such as confirmation references and booking-status updates)
- Information you supply via the venue's website during a handoff booking, which may be shared back to us by the venue or its platform for booking-status updates
2.4 Information you provide so we can book on your behalf
For some venues, LayUp books your court by signing into the venue's own booking platform on your behalf. This is described in section 5. To do that, we may collect from you:
- A username and password (or equivalent) for the venue's booking platform, which we store encrypted at rest and use only for booking on your behalf or in accordance with your instructions
- Any additional registration information the venue's booking platform requires (such as a full name or date of birth) so we can create or maintain an account on your behalf
We never use these credentials for any purpose other than facilitating bookings you have authorised, and you can revoke our access at any time by removing the linked provider in your account settings or by contacting privacy@layupsport.com.
2.5 Special category data
We do not intentionally collect special category data (such as health data, ethnicity or religious beliefs) as part of the Service. If you choose to share such information with us (for example, in a customer-support message) we will treat it with appropriate care, but we ask that you avoid sharing such information unless strictly necessary.
3. How we use your personal data
We use your personal data for the following purposes:
3.1 To provide the Service:
- Creating and managing your account
- Processing your bookings and transmitting them to the relevant venue or platform
- Making assisted bookings on your behalf (see section 5)
- Processing your payments and remitting the court price to the venue
- Sending you booking confirmations, reminders and cancellation notices
- Providing customer support
3.2 To run our business:
- Maintaining our records (financial, accounting, regulatory)
- Detecting and preventing fraud or abuse
- Securing the Service against unauthorised access
- Resolving disputes and enforcing our Terms and Conditions
3.3 To improve the Service:
- Analytics about how the Service is used (where you have given cookie consent)
- Understanding aggregate patterns of demand across venues and sports
- Improving our search and personalisation features (including via the AI service provider listed in section 6)
3.4 To communicate with you:
- About your bookings and account (transactional and service emails — required)
- About changes to the Service, our terms or our policies (service emails — required)
- About new features, content or offers (marketing — only where you have explicitly opted in by ticking the marketing-consent box at signup, at waitlist, or in your account settings; you can withdraw at any time)
3.5 To comply with our legal obligations:
- Responding to lawful requests from authorities
- Keeping records required by applicable law (tax, accounting, regulatory)
- Responding to data subject rights requests
4. Lawful bases for processing
We rely on the following lawful bases under UK GDPR Article 6 for processing your personal data:
| Purpose | Lawful basis | Notes |
|---|---|---|
| Creating and managing your account; processing bookings; sending booking confirmations, reminders and cancellations; processing payment and remitting venue settlement | Contract (Art. 6(1)(b)) | Necessary to perform the contract you enter into with us when you use the Service |
| Sharing your data with venues and third-party booking platforms in order to fulfil a booking you have made | Contract (Art. 6(1)(b)) | Necessary to perform the booking |
| Creating or maintaining a booking account on your behalf with a venue, or storing credentials you have provided, in order to book on your behalf | Consent (Art. 6(1)(a)) and Contract (Art. 6(1)(b)) | Consent is captured separately and may be withdrawn at any time. Withdrawal does not affect bookings already made on your behalf |
| Customer support and dispute resolution | Legitimate interests (Art. 6(1)(f)) | Our legitimate interest in operating the Service, balanced against your interests |
| Fraud detection and prevention | Legitimate interests (Art. 6(1)(f)) | Our and our users' legitimate interest in keeping the Service safe and secure |
| Service security and infrastructure monitoring | Legitimate interests (Art. 6(1)(f)) | As above |
| Analytics (non-essential cookies and similar) | Consent (Art. 6(1)(a)) | Only where you have explicitly consented via the cookie banner |
| Marketing communications | Consent (Art. 6(1)(a)) | Explicit opt-in only. We do not rely on PECR's soft opt-in. Every marketing email also carries a one-click unsubscribe |
| Financial / tax record-keeping | Legal obligation (Art. 6(1)(c)) | Required by HMRC, Companies House and similar |
| Responding to lawful requests from authorities | Legal obligation (Art. 6(1)(c)) | As required |
We can provide further information on our balancing tests (legitimate interests assessments) on request.
5. How LayUp interacts with third-party booking platforms
This section explains, in more detail than is usual in a privacy policy, how LayUp interacts with the booking platforms used by the venues you book through us. We explain it in detail because (a) it involves us using your information in ways you ought to know about and (b) some of it requires your explicit authorisation.
5.1 Two methods: handoff and assisted
For some venues we use a handoff model: we redirect you to the venue's own booking page to complete the booking yourself. In handoff bookings, the venue (and its booking platform) collect your personal data directly; LayUp's role is limited to surfacing availability and facilitating the handoff. We will tell you when a booking will be completed by handoff before you confirm.
For other venues we use an assisted model: LayUp books the court for you, acting as your agent, by interacting with the venue's booking platform on your behalf. Assisted booking is described in detail below.
5.2 Assisted booking — what we do
To make an assisted booking we may, with your explicit authorisation:
(a) Use credentials you have given us. Where you have linked a booking-platform account to LayUp (for example, by providing your Better Leisure username and password through our "Connect Account" flow), we store those credentials encrypted at rest and use them only to sign in to that platform to book on your behalf, or in accordance with your other instructions.
(b) Create a booking account on your behalf. Where you have authorised us to do so, we may create an account with the venue or its booking platform using information you have provided to us (such as your name, email address, phone number and date of birth). We do this only where strictly necessary to complete bookings you have asked us to make, and we tell you which platforms we have created accounts on.
(c) Communicate the booking instruction. We send the booking instruction to the venue's booking platform on your behalf, using either the credentials at (a) or the account at (b).
5.3 Your authorisation
We do not make assisted bookings without your explicit authorisation. Where authorisation is needed, we ask you for it through a clearly worded prompt that:
- describes what we will do on your behalf;
- names the platform we will interact with;
- explains what credentials or information we will store; and
- tells you how to revoke your authorisation.
You may revoke authorisation at any time in your account settings or by contacting privacy@layupsport.com. On revocation we will (i) stop making assisted bookings on the relevant platform for you, (ii) delete any credentials we hold for that platform, and (iii) (where you ask us to) take reasonable steps to close any account we created on your behalf. Bookings already confirmed at the time of revocation are unaffected.
5.4 The booking-platform relationship
The third-party booking platforms (such as Better, Playtomic, MATCHi and others listed at section 6.2 below) are themselves data controllers for the personal data they receive when we make a booking on your behalf, and they process that data in accordance with their own privacy notices. We encourage you to read those notices for the platforms relevant to bookings you make through LayUp.
6. Who we share your personal data with
We share your personal data with the following categories of recipient. We do not sell your personal data to any third party.
6.1 Service providers (data processors acting on our behalf)
| Provider | Role | Country of processing |
|---|---|---|
| Stripe | Payment processing | UK / EU / United States (see section 7 on transfers) |
| Supabase | Database and authentication infrastructure | European Economic Area (Frankfurt / Stockholm region) |
| Vercel | Web hosting (marketing site and application) | EU / United States |
| Mailgun | Transactional and (where opted in) marketing email | EU (we use the api.eu.mailgun.net endpoint) |
| Google Analytics 4 | Website analytics (consented cookies only) | EU / United States |
| Google Workspace | Our internal business email and document storage | EU / United States |
| Cloudflare | DNS, CDN, network security | Global anycast network |
| OpenAI | AI-powered search features. Where you use our smart-search feature, the text of your search query is transmitted to OpenAI's API. We do not send your name, email or other identifying information with the query. | United States |
6.2 Venues and third-party booking platforms
When you make a booking, we share the personal data necessary to fulfil the booking with the venue, and (depending on how the venue runs its bookings) with the third-party booking platform on which the venue lists. This typically includes your name and email, and — depending on the venue's requirements — your phone number, date of birth and address. The third-party platforms we currently interact with on your behalf, or to which we hand bookings off, are:
- Better (operated by Greenwich Leisure Limited / GLL)
- Gladstone (used by various local-authority leisure providers, including Tower Hamlets and Southwark councils)
- Active Lambeth (Lambeth Council leisure, operated on the OpenPlay Flow platform)
- Royal Parks (Hyde Park, Regent's Park, Greenwich Park, operated on the OpenPlay Flow platform)
- Everyone Active and Fusion Lifestyle
- Playtomic
- MATCHi
- LTA / ClubSpark (tennis venues across the LTA network)
- FootyAddicts
- PadelMates
- Powerleague
- All Star Tennis (operated on the Mindbody platform)
Each platform and venue is itself a data controller for the personal data it receives, and processes it in accordance with its own privacy policy. We add and remove platforms over time; for an up-to-date list, contact privacy@layupsport.com.
Note that this section concerns sharing of personal data with the platforms. Where we use publicly available data from a platform's website (for example, to display availability) and no personal data is transferred, no controller-controller relationship arises.
6.3 Professional advisers
We may share your personal data with our professional advisers (such as lawyers, accountants or auditors) where strictly necessary for them to provide their services to us.
6.4 Regulators and law enforcement
We may share your personal data with regulators, law enforcement, courts or other public authorities where we are required to do so by law, or where we reasonably believe disclosure is necessary to protect our rights, your safety, or the safety of others.
6.5 Corporate transactions
If LayUp Ltd is involved in a merger, acquisition, financing or sale of all or part of its business, your personal data may be transferred to the entity acquiring or financing the business, subject to that entity undertaking to treat your data in accordance with this Privacy Policy.
7. International transfers
7.1 Some of our service providers process personal data outside the United Kingdom, including in the United States and within the European Economic Area.
7.2 Where personal data is transferred outside the UK, we ensure that an appropriate safeguard is in place under UK GDPR Chapter V. Specifically:
- Stripe, Vercel, Google Analytics 4, Google Workspace and OpenAI — transfers to the United States are made under the UK Extension to the EU-US Data Privacy Framework where the recipient is certified, and otherwise under the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses.
- Mailgun — we use the EU region (
api.eu.mailgun.net); some operational data may be processed in the United States under the safeguards above. - Cloudflare — uses a global anycast network; data may transit through multiple regions, subject to the safeguards above.
7.3 You may contact us at privacy@layupsport.com to request further information about the safeguards we use, including a copy of any Standard Contractual Clauses or International Data Transfer Agreement (with commercial terms redacted).
8. How long we keep your personal data
We retain personal data only as long as is necessary for the purposes for which it was collected, including for any related legal, accounting or reporting purposes.
| Data category | Retention period | Reason |
|---|---|---|
| Account data (name, email, contact details, address) | While your account is active, plus 12 months from your last activity | To allow account recovery and ongoing use, balanced against the storage-limitation principle |
| Booking records | 6 years from the booking date | HMRC tax and accounting requirements (s.386 Companies Act 2006; s.12B Taxes Management Act 1970) |
| Payment metadata (transaction IDs only — full card data held by Stripe) | 6 years | As above |
| Customer-support correspondence | 24 months from resolution | Dispute window |
| Credentials for third-party booking platforms (encrypted) | Until you revoke authorisation or delete your account, then deleted within 30 days | Necessary only for the duration of the authorisation |
| Records of consent (cookie, marketing, assisted-booking authorisation) | 6 years from the latest of: end of the relationship; withdrawal of consent | Limitation Act 1980 / evidential record under Art. 7(1) UK GDPR |
| Marketing preferences | While your account is active, then aligned to the consent-records row above | To honour your stated preferences and prove we have done so |
| Analytics data (Google Analytics 4) | 14 months (GA4 default) | Standard for analytics purposes |
| Cookies | Per cookie — see Cookie Policy | Per cookie type |
| Server / security logs | 90 days | Security and incident response |
When the retention period expires we will delete or anonymise the data. Anonymised data (which can no longer identify you) may be retained indefinitely for analytics purposes.
9. Where your personal data is stored and how we protect it
9.1 Our primary database and authentication infrastructure (Supabase) is hosted in the European Economic Area.
9.2 We use technical and organisational measures appropriate to the risk, including:
- Encryption in transit (TLS) for all data transmission
- Encryption at rest for sensitive data in our database, including for any third-party booking-platform credentials you provide us
- Access controls, role-based permissions and the principle of least privilege for our team and our automated systems
- Multi-factor authentication on key administrative systems
- Regular security review of our infrastructure
- Use of reputable, security-certified service providers
9.3 No security measure can be guaranteed to be entirely effective. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO as required by law, and we will notify you directly where the breach is likely to result in a high risk to your rights and freedoms.
10. Your rights
Under UK GDPR and the Data Protection Act 2018, you have the following rights in relation to your personal data.
10.1 Right of access. You can ask us for a copy of the personal data we hold about you, and information about how we process it.
10.2 Right to rectification. You can ask us to correct any personal data that is inaccurate or incomplete.
10.3 Right to erasure. You can ask us to delete your personal data (the "right to be forgotten"). We will delete it unless we have a legal reason to keep it — for example, we are required to keep booking and tax records for six years to comply with HMRC. We will tell you what we have deleted and what we have had to keep.
10.4 Right to restrict processing. You can ask us to limit how we use your personal data in certain circumstances.
10.5 Right to data portability. For data processed on the basis of consent or contract, you can ask us to provide a machine-readable copy that you can transfer to another service.
10.6 Right to object. You can object to our processing of your personal data on the basis of legitimate interests, including for direct marketing. Where you object to direct marketing we will stop.
10.7 Right to withdraw consent. Where we rely on your consent (including for assisted-booking authorisation, marketing, or analytics cookies), you can withdraw it at any time. Withdrawing consent does not affect the lawfulness of processing before the withdrawal.
10.8 Rights related to automated decision-making. We do not currently make decisions about you based solely on automated processing that produce legal or similarly significant effects. Our search ranking is informed by algorithms (including the OpenAI sub-processor identified at section 6.1), but the choices about which courts to book remain yours.
10.9 How to exercise your rights. You can exercise any of these rights by contacting us at privacy@layupsport.com. We may need to verify your identity before responding. We will respond within one month, unless the request is complex, in which case we may extend by a further two months and tell you why.
10.10 Right to complain to the ICO. You have the right to lodge a complaint with the Information Commissioner's Office:
- Website:
ico.org.uk - Helpline: 0303 123 1113
We would appreciate the opportunity to address your concerns directly first.
11. Children's privacy
The Service is not intended for, and we do not knowingly collect personal data from, children under 18. If you believe a child has provided personal data to us, please contact privacy@layupsport.com and we will take steps to delete it.
12. Contact us
For any privacy-related question, request or complaint:
- Email:
privacy@layupsport.com - Postal: LayUp Ltd, [Address], United Kingdom
- Company number: [Number, once incorporated]
We do not currently have a Data Protection Officer (DPO), as we are not required to appoint one under UK GDPR Article 37. We will appoint one if and when our processing activities require it.
End of document. Version 2.0 — last updated 2026-05-27.