Tennis In Lambeth

Privacy Notice

Lambeth Council Privacy Notice for Court Bookings via ClubSpark and Stripe

Last updated: 23/03/2026
Data Controller: Lambeth Council
Service Area: Sports and Leisure – Court Bookings

1. Purpose of this Privacy Notice

This Privacy Notice explains how Lambeth Council (“we”, “us”, “our”) collects, uses, shares, and protects your personal data when you book sports courts or related services using the ClubSpark platform and when you make payments processed by Stripe.

This processing is carried out in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

This service‑specific Privacy Notice is intended to supplement, not replace, the overarching Lambeth Council Corporate Privacy Notice, which applies to all personal data processed by the Council in the exercise of its public functions. Nothing in this document limits Your rights or Our obligations set out in the Council’s primary Privacy Notice.

You should read this notice together with the main Lambeth Council Privacy Notice, which provides further detail on how the Council processes personal data, the legal bases relied upon, data subject rights, data retention, and routes for raising concerns or complaints. The Corporate Privacy Notice is available on the Council’s website and at the link below.

www.lambeth.gov.uk/about-council/privacy-data-protection/privacy-notice

2. Who We Are (Data Controller)

Lambeth Council is the Data Controller for personal data collected in connection with the management of sports facilities, including online court bookings, membership administration, venue access, and payment handling.

Contact:
Data Protection Officer (DPO)
Email: dpo@lambeth.gov.uk
Address: Lambeth Town Hall, Brixton Hill, London, SW2 1RW

3. Platforms and Third‑Party Providers We Use

3.1 ClubSpark (Platform Provider)

We use the ClubSpark platform to manage bookings, memberships, and customer interactions. ClubSpark provides the website, booking engine, account management tools and associated services.
ClubSpark’s platform operation and user interaction terms are governed by their own service terms. [pcidssguide.com]

3.2 Stripe (Payment Processor)

Online payments made during the booking process are handled securely by Stripe, the integrated payment provider used within ClubSpark. Stripe processes your card information and transfers funds to Lambeth Council. [clubspark.co]

Lambeth Council does not receive or store your full card details.

4. What Personal Data We Collect

We collect the following categories of personal data:

4.1 Information you provide directly

  • Name
  • Contact details (email, phone number)
  • ClubSpark account details
  • Booking history
  • Membership status (if applicable)
  • Age confirmation for under‑18 safeguarding purposes
  • Optional communication preferences

4.2 Information processed for payments

Handled by Stripe:

  • Cardholder name
  • Billing information
  • Partial card details (last 4 digits)
  • Payment reference and transaction metadata
    Lambeth Council does not access full card numbers, CVV codes, or PIN data.

4.3 Technical data

Via ClubSpark:

  • IP address and device/browser information
  • Login logs
    These are processed for security, fraud prevention, and service functionality.

 

5. Why We Use Your Personal Data (Legal Basis)

Purpose

Legal Basis

To manage and administer bookings, memberships, and access to council sports facilities

Performance of a contract

To process payments securely via Stripe

Performance of a contract

To communicate booking confirmations, cancellations, and service updates

Legitimate interest / Contract

To manage venue safety, access control and misuse prevention

Legitimate interest

To comply with financial, audit, safeguarding, and public authority obligations

Legal obligation

To investigate complaints, incidents or misuse (e.g., repeated no‑shows or access misuse)

Legitimate interest / Legal obligation

6. How Your Data Is Processed

6.1 Within ClubSpark

ClubSpark hosts your booking and account data as part of its platform provision. Their systems control user authentication, booking schedules, and communication tools. [pcidssguide.com]

6.2 Within Stripe

Stripe securely processes your payment, collects required transaction details, and ensures your booking is confirmed only after successful payment. Stripe and ClubSpark jointly enable the payment flow for bookings. [clubspark.co]

All payment data is encrypted and compliant with PCI DSS requirements (Stripe’s responsibility as processor).

7. Who We Share Your Data With

Your data may be shared with:

  • ClubSpark (as a data processor) for delivery of booking services
  • Stripe (as a payment processor) for secure payment handling
  • Internal Lambeth Council teams responsible for facility management, safeguarding and finance
  • Law enforcement or regulatory bodies where required by law
  • IT and system support partners under formal contracts

We do not sell your personal data to any third parties.

8. International Transfers

Stripe may transfer payment data outside the UK (for example, to the United States), but only where lawful safeguards are in place, such as adequacy decisions or Standard Contractual Clauses (SCCs).

ClubSpark hosting arrangements may also involve securely managed international transfers under their platform terms.

9. Data Retention

We retain your data only as long as necessary for:

  • Managing active bookings or memberships
  • Compliance with financial regulations (typically 6–7 years)
  • Safeguarding, incident reporting or dispute resolution
  • Statutory audit requirements

After retention periods expire, data is securely deleted or anonymised.

10. Your Rights

Under UK GDPR, you have the right to:

  • Access your personal data
  • Request correction of inaccurate information
  • Request deletion (where applicable)
  • Restrict or object to certain processing
  • Data portability (where applicable)
  • Withdraw consent where consent is used (most processing is contractual or lawful interest‑based)

To exercise these rights, contact the Lambeth Council DPO (details above).

You also have the right to lodge complaints with the Information Commissioner’s Office (ICO):
https://ico.org.uk

11. Security Measures

We, ClubSpark, and Stripe use technical and organisational measures, including:

  • Encrypted communication (HTTPS/TLS)
  • Account authentication controls
  • Access management and audit logging
  • PCI‑compliant card processing (Stripe)
  • Regular system updates and vulnerability monitoring

Stripe ensures payment card data is processed securely and is not accessible to Lambeth Council. [clubspark.co]

12. Automated Decision‑Making

We do not use automated decision‑making that has legal or significant effects on you.
Some automated fraud checks (e.g., Stripe risk scoring) may occur during payment processing, carried out by Stripe as part of their service.

13. Updates to This Notice

We may update this Privacy Notice to reflect changes in law, technology or Council operations. Updates will be published on our website and within the ClubSpark platform where appropriate.

14. Contact Us

If you have any questions about this notice, please contact:
Lambeth Council Data Protection Officer
Email: dpo@lambeth.gov.uk
Phone: 020 7926 1000