ApexGoApexGo
✦ StudioLoginGet Started
DRAFT — pending solicitor review. This page is a working draft. The final wording will be reviewed by a UK solicitor before public launch. Do not rely on this text as definitive legal advice.

Privacy Policy

Last updated: 23 May 2026

1. Who we are

ApexGo ("ApexGo", "we", "us") operates a hosted ticketing, memberships, and bar / point-of-sale platform for sports clubs and event organisers. Our registered company details, registered address, and Information Commissioner's Office (ICO) registration number will appear in this section after the solicitor review referenced at the top of this page.

For privacy questions or to exercise your rights under UK GDPR, contact us at privacy@apexgo.co.uk.

2. The controller / processor distinction

This policy describes the personal data ApexGo handles as a controller — primarily the data of our direct customers (club administrators, staff users and people who visit our marketing site).

When supporters, members or customers of a club use that club's ticketing or shop, the clubis the data controller and ApexGo is its data processor. You should look at the club's own privacy notice for how they handle your data. Where this policy covers data we process on behalf of a club, we have flagged it.

3. What personal data we collect

From dashboard users (controller)

  • Account data: name, email address, hashed password, role, organisation, profile photo (optional).
  • Verification data: email verification tokens (kept until used or expired) and timestamps.
  • Billing data: Stripe customer ID, billing email, plan, subscription state. Card numbers and bank details are held by Stripe — we never see them.
  • Activity data: login timestamps, IP address used to log in (security audit), actions taken in the dashboard.
  • Support communications: any emails or messages you send us.

From visitors to apexgo.co.uk (controller)

  • Pages visited, referring URL, browser type and approximate location (city level), where you have consented to analytics cookies. See our Cookie Policy.
  • Information you submit through demo-request or contact forms.

From end customers of a club (processor — on behalf of the club)

  • Name, email, postal address, phone (where the club's checkout asks for it).
  • Ticket and order history, membership tier, scan-in records.
  • Member account credentials (hashed) for clubs that use member logins.
  • Email broadcast preferences for that club.

4. How we use personal data and the legal basis

PurposePersonal dataLegal basis (UK GDPR Art. 6)
Provide the dashboard and the contracted ServiceAccount, activity, billingContract (6(1)(b))
Take payment, calculate fees, settle to clubsBilling, transactionContract (6(1)(b))
Customer supportAccount, support correspondenceContract (6(1)(b))
Security, fraud prevention, auditActivity, IP, login timestampsLegitimate interests (6(1)(f))
Product analytics on the marketing siteVisit dataConsent (6(1)(a))
Service email (verification, billing receipts, security alerts)EmailContract (6(1)(b))
Marketing email about new ApexGo featuresEmailSoft opt-in / consent (PECR)
Comply with tax, accounting and legal dutiesBilling, transactionLegal obligation (6(1)(c))

5. Who we share data with

We share personal data with the following categories of recipient:

  • Stripe — payments processor and our subscription biller. Receives card data directly from the user's browser; we only see tokens.
  • Email service providers — to send transactional and marketing email.
  • Cloud hosting providers — to run the Service. Data is stored in the United Kingdom and the European Economic Area.
  • Domain and DNS providers — for resolving club websites and custom domains.
  • Professional advisers — accountants, auditors, lawyers, on a confidential basis.
  • Law enforcement and regulators — only where required by valid legal process.

The full list of sub-processors with the data they handle and where they are located will be published at apexgo.co.uk/sub-processors as part of our DPA work; the link will be added here when it is live.

We do not sell personal data to third parties, and we do not use personal data to train AI models.

6. International transfers

Our primary infrastructure is hosted in the UK and EEA. Some providers (e.g. Stripe, certain email providers) may transfer data to the United States. Where transfers happen outside the UK / EEA, they are protected by UK International Data Transfer Agreements (IDTA), the UK Addendum to the EU Standard Contractual Clauses, or another lawful transfer mechanism recognised by the ICO.

7. How long we keep data

CategoryRetention
Active account dataWhile your account is open
Closed account data (general)30 days after closure, then deleted
Financial records (invoices, transaction ledgers)6 years (UK tax law)
Support correspondence2 years from the last message
Email verification tokensUntil used, expired, or 30 days, whichever is first
Login audit logs12 months
Analytics on the marketing site (with consent)14 months

8. Your rights under UK GDPR

You have the right to:

  • Access the personal data we hold about you;
  • Rectify inaccurate personal data;
  • Erase personal data we no longer have a lawful basis to hold (the "right to be forgotten");
  • Restrict our processing in certain circumstances;
  • Port personal data you provided to us to another service;
  • Object to processing based on legitimate interests or for direct marketing;
  • Withdraw consent at any time, where consent is the basis (this does not affect prior lawful processing).

To exercise any of these rights, email privacy@apexgo.co.uk. We will respond within one month. There is no fee unless the request is manifestly unfounded or excessive, in which case we will explain why before charging.

If you are an end customer of a club (not a dashboard user), your rights are exercised against the club as data controller — they will respond using tools we provide. We will support the club's response where you also write to us.

You also have the right to complain to the UK Information Commissioner's Office (ICO) at ico.org.uk/concerns or 0303 123 1113. We would appreciate the chance to address your concern first, but you may complain to the ICO at any time.

9. Security

We use industry-standard security measures including TLS for all traffic, hashed passwords (bcrypt or argon2), least-privilege access controls, separate per-organisation database scoping, and regular off-site backups. No system is completely secure: please tell us at security@apexgo.co.uk if you become aware of a vulnerability.

Where a personal data breach affecting your rights and freedoms occurs, we will notify the ICO within 72 hours and, where required, notify you without undue delay.

10. Children

The dashboard is intended for adults (16+) running a club or business account. Clubs may sell tickets to events suitable for children; in those cases the club is the controller and any age-related processing is governed by the club's own privacy notice.

11. Cookies

We use cookies and similar technologies. The details are in our Cookie Policy. You can control non-essential cookies via the consent banner on your first visit and at any time from the "Cookie preferences" link in the footer.

12. Automated decision-making

We do not make decisions based solely on automated processing that produce legal or similarly significant effects on you.

13. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be announced via email to active account holders and via a banner in the dashboard. The "Last updated" date at the top of this page always reflects the current version.

14. Contact

Privacy questions: privacy@apexgo.co.uk.
Security issues: security@apexgo.co.uk.
General: hello@apexgo.co.uk.