UK GDPR · DATA PROTECTION ACT 2018

PRIVACY POLICY

This policy explains how the U.S.S. Maelgwn fan association collects, uses, stores, and protects your personal data in accordance with UK GDPR and the Data Protection Act 2018.

LAST UPDATED: STARDATE 60649.4 · 14 JUNE 2026

DATA PROTECTION DIRECTIVE

1. WHO WE ARE

The U.S.S. Maelgwn (NCC-75016) is a fan association chapter affiliated with Starfleet International (SFI), Region 20. We operate this website and merchandise store as a non-commercial fan organisation based in the United Kingdom.

For the purposes of UK GDPR, the U.S.S. Maelgwn chapter committee is the data controller responsible for your personal data.

Data Controller Contact:
Fleet Captain Dai Rhys-Jones, Commanding Officer
Email: [email protected]
Website: uss-maelgwn.org.uk

2. WHAT PERSONAL DATA WE COLLECT

We collect and process the following categories of personal data:

  • Identity data: Your name and any rank or title you provide
  • Contact data: Email address and postal address (for order fulfilment)
  • Transaction data: Details of merchandise orders placed through the Quartermaster store
  • Communications data: Messages sent via the Hailing Frequencies contact form
  • Technical data: IP address, browser type, and basic usage data collected via server logs

Payment data: All payment transactions are processed securely by PayPal. We do not collect, store, or have access to your card or bank details at any point.

We do not collect sensitive personal data (special category data) such as health information, racial or ethnic origin, or political opinions.

3. HOW AND WHY WE USE YOUR DATA

We use your personal data only for the following purposes:

Order fulfilment
Processing, packaging, and shipping merchandise orders; sending order confirmations and shipping updates.
Customer communications
Responding to enquiries submitted via the contact form or by email.
Chapter administration
Maintaining records of chapter membership and activities as required by Starfleet International.
Legal compliance
Retaining financial records as required by HMRC and applicable UK law.
Website operation
Ensuring the website functions correctly and securely.

We do not sell, rent, trade, or share your personal data with third parties for marketing or commercial purposes.

4. LEGAL BASIS FOR PROCESSING

Under UK GDPR, we must have a lawful basis for processing your personal data. We rely on the following:

  • Performance of a contract (Article 6(1)(b)): Processing your order, sending confirmations, and fulfilling your purchase.
  • Legitimate interests (Article 6(1)(f)): Operating the fan club, responding to enquiries, and maintaining chapter records. We have assessed that these interests are not overridden by your rights.
  • Legal obligation (Article 6(1)(c)): Retaining financial and transaction records as required by HMRC (typically 6 years).
  • Consent (Article 6(1)(a)): Where you have explicitly opted in to receive chapter newsletters or updates. You may withdraw consent at any time.

5. DATA RETENTION

We retain your personal data only for as long as necessary for the purposes set out in this policy:

  • Order records: Retained for 6 years from the date of transaction in accordance with HMRC requirements
  • Contact form messages: Retained for up to 12 months, then securely deleted
  • Chapter membership records: Retained for the duration of active membership plus 2 years
  • Server logs: Automatically deleted after 30 days

You may request deletion of your personal data at any time (subject to our legal obligations to retain certain records).

6. YOUR RIGHTS UNDER UK GDPR

You have the following rights regarding your personal data:

  • Right of access: Request a copy of the personal data we hold about you (Subject Access Request)
  • Right to rectification: Request correction of inaccurate or incomplete data
  • Right to erasure: Request deletion of your data ("right to be forgotten"), subject to legal retention obligations
  • Right to restrict processing: Ask us to limit how we use your data in certain circumstances
  • Right to data portability: Receive your data in a structured, machine-readable format
  • Right to object: Object to processing based on legitimate interests
  • Right to withdraw consent: Where processing is based on consent, withdraw it at any time without affecting prior processing

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days of receiving your request.

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO): ico.org.uk · Helpline: 0303 123 1113

7. DATA SHARING AND THIRD PARTIES

We share your personal data only where necessary with the following third parties:

PayPal (Europe) S.à r.l. et Cie, S.C.A.
Payment processing for merchandise orders. PayPal acts as an independent data controller for payment data. See PayPal's Privacy Policy at paypal.com/uk/legalhub/privacy-full.
Starfleet International (SFI)
Membership data may be shared with SFI Region 20 as required for chapter affiliation and administration.
Email service provider
Used to send order confirmations and contact form responses. Data is processed only to deliver transactional emails.

We do not transfer your personal data outside the United Kingdom or European Economic Area without appropriate safeguards in place.

8. COOKIES

This website uses only essential cookies required for basic functionality such as maintaining your session preferences. We do not use advertising cookies, tracking cookies, or third-party analytics cookies.

You may disable cookies in your browser settings. Please note that disabling essential cookies may affect some site functionality.

9. DATA SECURITY

We take the security of your personal data seriously. We implement appropriate technical and organisational measures to protect your data against unauthorised access, loss, or disclosure. These include:

  • HTTPS encryption for all data transmitted to and from this website
  • Secure server storage for order records
  • Access to personal data restricted to authorised chapter officers only
  • Payment data handled exclusively by PayPal — we never see or store card details

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and inform affected individuals without undue delay.

10. CHILDREN'S PRIVACY

This website is not directed at children under the age of 13. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data without parental consent, please contact us at [email protected] and we will delete it promptly.

11. CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make significant changes, we will update the "Last Updated" date at the top of this page. We encourage you to review this policy periodically.

Continued use of this website after changes are posted constitutes your acknowledgement of the updated policy.

12. CONTACT US

For any questions, concerns, or requests relating to this Privacy Policy or your personal data, please contact:

U.S.S. Maelgwn — Data Controller

If you are unhappy with our response, you may contact the Information Commissioner's Office: ico.org.uk/make-a-complaint