Privacy Policy

RACEHORSE OWNERS ASSOCIATION - PRIVACY POLICY

This Privacy Policy is provided in a layered format so you can click through to the specific areas set out below.

About us and how to contact us
Information we collect about you
How we collect and use your information
Who we share your information with
How we store your information and how long we store it for
Cookies
International transfers of your information
Your rights
Updates to this Privacy Policy

1. About us and how to contact us

We are the Racehorse Owners Association Limited, a company incorporated in England and Wales with company number 00398604 and whose registered office is at 12 Forbury Road, Reading RG1 1SB, England (“we”, “us”, “our”, or the “ROA”). We promote and protect the interests of racehorse owners in Great Britain, and have over 7,500 members.

We are registered as a data controller with the Information Commissioner’s Office (registration number ZA207366). As a controller of your personal data (i.e. any information about an individual from which that individual can be identified), we are committed to protecting and respecting your privacy.

Any questions or requests regarding this Privacy Policy, including any requests in respect to your personal data that we process, may be sent by post to the above-stated address or emailed to our data protection representative at [email protected].

This Privacy Policy (together with our Cookie Policy and MembershipTerms and Conditions) sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it.

This website is not intended for children and we do not knowingly collect data relating to children.

Our website may include links to third-party websites and applications. We do not control these third-party websites and are not responsible for their privacy statements, notices, or policies. When you leave our website, we encourage you to read the privacy notice of every website you visit. We do not accept any responsibility or liability for the privacy policies or notices on third-party websites. Please check these policies before you submit any personal data to such third-party websites.

2. Information we collect about you

Depending on which of our services you use, we collect, use, store and transfer different kinds of personal data about you, which we have grouped together as follows[RS4] :

CCTV Data, which refers to closed-circuit television recordings of you attending our premises.
Contact Data, which includes email address, billing address, and telephone number(s).
Financial Data, which includes payment card details and other financial and billing information.
Facial Data, which includes any personal data derived from the photograph used on your ROA membership card.
Identity Data, which includes first name, last name, title, and date of birth.
Marketing and Communications Data, which includes your preferences in receiving marketing from us and our third parties and your communication preferences.
Profile Data, which includes information about your feedback and survey responses.
Technical Data, which includes your internet protocol (IP) address, cookie identifiers, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access this website.
Usage Data, which includes information about how you use our website and products, such as clickstream to, through, and from our website (including date and time), page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from particular pages of our website.
VAT Data, which includes name of your syndicate or partnership and VAT registration number (if applicable).

3. How we collect and use your information

We collect your personal data from your visits to our website, your completed and submitted membership application forms (whether on paper or online), your membership card, and your submitted preferences to us regarding receipt of our newsletters and other communications. If you have signed up to use our VAT Solution Service, we will obtain VAT Data from you in the course of providing that service.

We will only collect and process your personal data where we have a lawful basis to do so, i.e. where:

we need your personal data to perform a contract with you (for example, to process a payment from you, fulfil your order or provide customer support connected with an order);
the processing is in our legitimate interests (as described below) and not overridden by your rights;
we have a legal obligation to collect or disclose personal data from you; or
we have your consent to process your personal data.

The following table sets out what personal data we collect about you, what we use that personal data for, and our lawful basis for doing so. Please be aware that we may process your personal data using more than one lawful basis, depending on the specific purpose or activity.

Purpose /Activity	Type of data	Lawful basis for processing
To register you as a member of the ROA (and, if you request this, to renew your membership) and to provide you with our services available to members, including (but not limited to) enabling you to attend online or in-person events that we have organised and to provide you with your membership card	(a) Identity (b) Contact (c) Facial (d) Technical (e) Financial	Performance of a contract with you
To process payments from you and refunds to you, and collect any money that you owe to us	(a) Identity (b) Contact (c) Financial	(a) Performance of a contract with you (b) Necessary for our legitimate interests (for collecting money owed to us)
To manage our relationship with you, including handling any complaints or queries and notifying you about changes to our Membership Terms and Conditions and/or this Privacy Policy	(a) Identity (b) Contact (c) Transaction (d) Profile	(a) Performance of a contract with you (b) Necessary to comply with our legal obligations
To provide our VAT Solution Service to you (if you have signed up for this)	(a) Identity (b) Contact (c) Financial (d) VAT (e) Technical	(a) Performance of a contract with you (b) Your explicit consent to transfer your VAT Data to the United States (see section 7 below for further information)
To administer and protect our business and our website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)	(a) Identity (b) Contact (c) Technical (d) Profile	(a) Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud, and in the context of a business reorganisation) (b) Necessary to comply with our legal obligations
To use data analytics to improve our website, services, marketing, member relationships and experiences	(a) Technical (b) Usage (c) Profile	Necessary for our legitimate interests (to keep our website updated and relevant and ensure that its content is presented in the most effective manner for you and for your device, to develop our business, and to inform our marketing strategy)
To make suggestions and recommendations to you about our services that are similar to services that we have previously provided to you by way of email or text message or to make suggestions and recommendations to you about any of our services by way of post	(a) Identity (b) Contact (c) Technical (d) Usage (e) Profile (f) Marketing and Communications	Necessary for our legitimate interests of marketing the ROA and its services to you
To make suggestions and recommendations to you about our services that are not similar to services that we have previously provided to you by way of email, text message. and/or social media messaging	(a) Identity (b) Contact (c) Technical (d) Usage (e) Profile (f) Marketing and Communications	Your consent (you can withdraw this at any time by clicking the link to unsubscribe in our marketing emails and/or the relevant ‘STOP’ number in text messages, or by contacting us using the details above)
To enable you to enter our prize draws and competitions and take part in our surveys	(a) Identity (b) Contact (c) Technical (d) Profile	(a) Performance of a contract with you (b) Necessary to comply with our legal obligations applicable to prize draws and competitions (c) Necessary for our legitimate interests (for understanding your preferences as a member and so that we can our website, services, marketing, member relationships and experiences)
To protect us, our customers, and our website from fraud and theft	(a) Identity (b) Contact (c) Financial (d) Transaction (e) VAT	Necessary for our legitimate interests of detecting and preventing fraud
To ascertain which (if any) new members have been referred to us by you	Identity	Necessary for our legitimate interests of understanding how our new members find out about the ROA
To record CCTV footage at our premises	CCTV	Necessary for our legitimate interests of preventing and detecting crime, and safeguarding staff and visitors to our premises

If you are a racehorse trainer, we also collect publicly available information about you for our legitimate interests of expanding our knowledge of the British racehorse industry.

Where the lawful basis stated above is your consent, you have the right to withdraw this consent at any time. You may also object to our processing in certain circumstances where our lawful basis for processing is our legitimate interests. Please see section 8 below for further information on how to exercise these rights.

Please note that, where we rely on your consent or our legitimate interests to process your personal data and you withdraw that consent or object to our processing, we may no longer be able to provide certain services to you that are dependent on this processing.

If any of your personal data (such as your Contact Data) changes, please ensure that you let us know by editing this in your account settings, so that the information we have about you is kept up to date.

4. Who we share your information with

We share your personal information with the following third parties:

your Identity Data and Contact Data will be shared with Weatherbys Limited, which maintains the ROA’s membership database and performs related services in relation to the software of that database, and the British Horseracing Authority, which is responsible for the governance, administration, and regulation of horseracing and the wider horseracing industry in Britain;
if you sign up to use our VAT Solution Service , your Identity Data, Contact Data, Financial Data, Technical Data, and VAT Data will be shared with HMRC and Xero Limited, which provides the online platform into which the relevant information is entered as part of the service; and
if you receive email marketing communications from us, your Contact Data and Marketing and Communications Data will be shared with Mailchimp, an online marketing platform operated by The Rocket Science Group LLC. If you currently receive email marketing communications from us, you can always object to this or withdraw your consent to receiving such communications at any time, in which case we will no longer share your personal information with Mailchimp.

Depending on the services we provide to you, your personal information will sometimes be shared with other contractors or suppliers who assist us in providing the services (for example, events companies who help us to organise ROA events for our members).

In each of the above cases, your personal information is shared securely, these activities are carried out under a contract which imposes strict requirements to keep your personal data confidential and secure.

We may be required to share your personal information for prevention of crime or for taxation purposes (for example, with the police or HMRC) or where otherwise required to do so by other regulators or by law.

5. How we store your information and how long we store it for

We have appropriate security measures in place to prevent personal information from being accidentally lost, or used or accessed in an unauthorised way. We limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.

We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

In some circumstances we will anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.

6. Cookies

Our website uses cookies to distinguish you from other users of our website. This helps us to provide you with a good experience when you browse our website and also allows us to improve our website.

For further information on cookies (including about how we use them and when we will request your consent before placing them and how to disable them), please see our Cookie Policy.

7. International transfers of your information

We will transfer your personal data outside of the United Kingdom in the following circumstances :

if you sign up to use our VAT Solution Service, your Identity Data, Contact Data, Financial Data, Technical Data, and VAT Data will be transferred to New Zealand and the United States; and
if you receive email marketing communications from us, your Contact Data and Marketing and Communications Data will be shared with Mailchimp, whose servers and offices are located in the United States.

The above-mentioned countries do not have the same data protection laws as the United Kingdom. A formal decision has been made under UK adequacy regulations that New Zealand provides an adequate level of data protection similar to those that apply in the United Kingdom.

Although no formal decision has yet been made that the United States provides an adequate level of protection similar to those which apply in the United Kingdom, any transfer of your personal information to the United States will either be undertaken only subject to your explicit consent (which you can withdraw at any time) or will otherwise be subject to appropriate safeguards under Article 46 of the UK GDPR, which are designed to protect your privacy rights and to give you remedies in the unlikely event of a misuse of your personal information. Please contact us using the details provided section 1 of this Privacy Policy if you would like further information on the specific mechanism used by us when transferring your personal data out of the United Kingdom.

Please note that we will not be able to provide you with our VAT Solution Service if you do not give your explicit consent for your VAT Data to be transferred to the United States or if, having previously given this explicit consent to us, you withdraw it (in which case, any agreement you have with us in respect of our VAT Solution Service will terminate).

8. Your rights

Under applicable data protection laws, you have a number of important rights free of charge. In summary, those include rights to:

access to your personal information and to certain other supplementary information that this Privacy Policy is already designed to address;
require us to correct any mistakes in your information which we hold;
require the erasure of personal information concerning you in certain situations (please note this that this right will not apply where it is necessary for us to continue to use the relevant personal information for a lawful reason);
receive the personal information concerning you which you have provided to us (and where the relevant lawful basis stated in section 3 above is your consent or our performance of a contract with you), in a structured, commonly used, and machine-readable format and have the right to transmit those data to a third party in certain situations (please note that this right does not apply to personal data contained only in hard-copy records);
withdraw your consent (if you have given this to us previously) for us to contact you for direct marketing purposes;
object to decisions being taken by automated means which produce legal effects concerning you or similarly significantly affect you;
object in certain other situations to our continued processing of your personal information; and
otherwise restrict our processing of your personal information in certain circumstances.

If you would like to exercise any of those rights, please contact us using the details provided section 1 of this Privacy Policy, letting us know the information to which your request relates.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response. We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests (in which case we will notify you and keep you updated).

There are some exceptions to the rights listed above and, although we will always try to respond to any instructions you may give us about our handling of your personal information, there may be situations where we are unable to meet your requirements in full.

We hope that we can resolve any query or concern you raise about our use of your information. You have the right to make a complaint at any time to the supervisory authority in the United Kingdom for data protection issues, the Information Commissioner’s Office (ICO), whose website is at www.ico.org.uk. We would, however, appreciate the opportunity to deal directly with your concerns before you approach the ICO, and would be pleased to respond to any such complaints as your first-priority contact.

9. Updates to this Privacy Policy

This Privacy Policy was last updated on 27 May 2021.

We may amend this Privacy Policy from time to time as necessary to comply with law or for legitimate business purposes. Any changes we make to this Privacy Policy in the future will be posted on this page and, where appropriate, notified to you by e-mail. Please check back frequently to see any updates or changes to this Privacy Policy.