Legal

Privacy Policy

How we collect, use, and protect your personal data.

Last Updated: 25 February 2026

Broad Reach Bookings ("Broad Reach", "we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the Broad Reach Software and Services.

Please read this policy carefully. If you disagree with its terms, please discontinue use of the Service immediately.

1. Information We Collect

1.1 Subscriber Account Data

When you register for a subscription, we collect:

  • Name, email address, and contact details of account holders and administrators;
  • Business name, address, and other organisational information;
  • Payment and billing information (processed securely via Stripe; we do not store full card numbers);
  • Login credentials (passwords are hashed and never stored in plain text).

1.2 Subscriber-Managed Client Data

As part of operating the platform on your behalf, we store data you enter about your clients, including:

  • Names, email addresses, phone numbers, and postal addresses;
  • Date of birth and emergency contact information (where provided);
  • Medical information and disability disclosures (where provided for course eligibility purposes);
  • RYA certifications, course history, and qualification records;
  • Signed digital waivers and forms;
  • Booking and payment history;
  • GDPR consent records and communication preferences.

You, as the Subscriber, are the data controller for your clients' personal data. We act as a data processor on your behalf. You are responsible for obtaining appropriate consent and providing your clients with notice of how their data will be used.

1.3 Usage and Operational Data

We automatically collect certain information when you use the Service:

  • Log data (IP address, browser type, pages visited, time and date of access);
  • Device information (operating system, device identifiers);
  • Activity logs generated within the platform for audit and security purposes.

2. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and maintain the Broad Reach Software and Services;
  • Process payments and manage subscriptions (including billing notifications and receipts);
  • Send transactional communications such as booking confirmations, reminders, and course notifications on behalf of Subscribers;
  • Send platform service communications, including update notices, security alerts, and support messages;
  • Improve, personalise, and expand the Service;
  • Monitor usage and analyse trends to understand how the Service is used;
  • Detect, prevent, and address technical issues, fraud, or misuse;
  • Comply with legal obligations.

3. Legal Basis for Processing (GDPR)

For users in the UK and European Economic Area, we process personal data under the following legal bases:

  • Contract performance — processing necessary to provide the Services you have subscribed to;
  • Legitimate interests — improving the platform, preventing fraud, and ensuring security;
  • Legal obligation — where we are required to retain data by law;
  • Consent — where you have given specific consent (e.g. marketing communications), which may be withdrawn at any time.

4. How We Share Your Information

We do not sell your personal data. We may share information with:

4.1 Service Providers

We use trusted third-party providers to help deliver the Service, including:

  • Stripe — payment processing;
  • Twilio — SMS messaging;
  • SendGrid / email providers — transactional and automated email delivery;
  • Xero — accounting integration (if enabled by Subscriber);
  • DigitalOcean / hosting infrastructure — secure cloud hosting and database storage;
  • OpenAI — AI-powered features (if the AI Assistant add-on is enabled; only anonymised, aggregated prompts are sent).

All service providers are bound by data processing agreements and are required to handle data securely and in accordance with applicable law.

4.2 Legal Requirements

We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g. court order or government agency).

4.3 Business Transfers

If Broad Reach is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. You will be notified via email and/or a prominent notice within the Service prior to your data being transferred.

5. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. On account termination:

  • Subscriber account data is retained for up to 90 days to allow reactivation, then deleted;
  • You may request immediate export and deletion of your data by contacting us;
  • Certain data may be retained longer where required by law (e.g. financial records for tax compliance).

6. Data Security

We implement industry-standard technical and organisational measures to protect your data, including:

  • Encryption at rest and in transit (TLS/HTTPS);
  • Hashed password storage;
  • Role-based access controls;
  • Regular security monitoring and audit logging;
  • Automated database backups with geo-redundant storage.

No method of transmission over the internet is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security.

7. Cookies

The Broad Reach website uses cookies and similar tracking technologies to improve user experience and analyse traffic. You can control cookie preferences through your browser settings. We use:

  • Essential cookies — required for the website to function;
  • Analytics cookies — to understand how visitors interact with our site (e.g. Google Analytics);
  • Marketing cookies — only where you have given consent.

8. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Access — request a copy of the personal data we hold about you;
  • Rectification — request correction of inaccurate or incomplete data;
  • Erasure — request deletion of your data ("right to be forgotten");
  • Restriction — request that we restrict processing of your data;
  • Portability — receive your data in a structured, machine-readable format;
  • Objection — object to processing based on legitimate interests;
  • Withdrawal of consent — where processing is based on consent, withdraw it at any time.

To exercise any of these rights, please contact us at privacy@broadreachbookings.com. We will respond within 30 days. If you are unsatisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

9. International Transfers

Your data may be processed and stored in countries outside the UK or EEA. Where this occurs, we ensure appropriate safeguards are in place (such as Standard Contractual Clauses) to protect your data to the same standard required under UK GDPR.

10. Children's Privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children under 16 without verifiable parental consent. If you believe we have inadvertently collected such data, please contact us immediately.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by posting the new policy on this page and, where appropriate, by email. Your continued use of the Service after changes are posted constitutes acceptance of the revised policy.

12. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us: