Champions Programme Privacy Policy
Invictus UK 2027 Ltd & Invictus UK 2027 Trading Limited
Last updated: July 2026
1. Who We Are
Invictus UK 2027 Ltd & Invictus UK 2027 Trading Limited (“Invictus”, “we”, “us”, “our”) are responsible for activities connected with Invictus UK 2027, including event management, ticketing, communications, fundraising, donations, sponsorship, commercial activities and the Champions Programme. Invictus UK 2027 Ltd is a registered charity in the UK, Registered Charity Number 1210319. Invictus UK 2027 Trading Limited is the trading subsidiary of Invictus UK 2027 Ltd, company registration number 16282554.
We are the data controller of the personal data we collect and process, as described in this Privacy Policy.
Contact details:
Data Controllers: Invictus UK 2027 Ltd and Invictus UK 2027 Trading Limited (each acting as data controllers)
Registered addresses: 199 Borough High Street, London, SE1 1AA
ICO Registration Numbers: ZB780560; ZB976633
Data Protection contact: Sonia Howe, contact@invictusgames2027.org
Telephone: 0121 516 8993
2. Scope of This Policy
This policy relates to information collected from our websites, subdomains, social media channels, contact centre, email, forms, questionnaires, postal and telephone enquiries, event and campaign participation, donations, fundraising activities, sponsorship arrangements and the Champions Programme.
This Policy does not apply to personal data we process on behalf of our clients as a data processor. In those circumstances, our clients are the data controller and their privacy policy will apply.
3. Personal Data We Collect
We process the personal information provided by you, or a third party acting on your behalf (such as a relative or friend), in order to respond to your requests including applications to participate in events and campaigns organised by us and to receive communications from us, including
"Contact Data" includes information such as your name, preferred name, postal address, business and/or personal email address, telephone number, organisation, role.
"Account Data" includes name, email address (username) and password.
“Transaction and Sponsorship Data” includes donation amount, sponsorship or membership tier, payment frequency, VAT status, company registration number, Gift Aid information where applicable, and any messages or notes you provide with your transaction.
“Payment Data” includes payment method information processed by our payment
“Marketing and Communications Data” includes your preferences in receiving marketing and promotional messaging from us and our third parties including partners, your communication preferences, and also your participating team and sport preferences.
“Technical Data” includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, device ID and other technology on the devices you use to access this website.
“Usage Data” includes information about how you interact with and use our website, products and services.
In certain circumstances, our collection of the different categories of data set out above may include the collection of Special Categories of personal information about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data). We also may collect criminal convictions and offences data as further described below.
Newsletter and SMS communications
If you also consent to receive marketing information from us then we will use your personal information, with your consent, to provide specific email and/or mobile communications related to the 2027 Invictus Games or any future Invictus Games.
Invictus Games Foundation
If you also consent to receive marketing information from, and about, the official charity of the Invictus Games Foundation, then we will use your personal information, with your consent, to provide specific email and/or mobile communications related to the Invictus Games Foundation. We will also share your personal information, with your consent, to the Invictus Games Foundation for them to provide you with specific email and/or mobile communications related to their charitable objectives, news and events.
Games Sponsors and Partners
If you also consent to receive marketing information from, and about, Games partners or sponsors from us and/or the Invictus Games Foundation, then we will use your personal information, with your consent, to provide specific email communications related to such partners and sponsors that we think will be relevant to you. We will also share your personal information, with your consent, with Games partners and sponsors, for them to provide specific email and/or mobile communications. We will never share your personal information with our partners or sponsors unless you have given consent to do so. We will never sell your personal data to third parties or any other organisations.
4. Special Category Data
Special category data is personal data that receives additional protection under UK data protection law. This may include information about health, disability, accessibility needs, medical requirements, dietary requirements where these reveal health, racial or ethnic origin, religious or philosophical beliefs, trade union membership, sex life or sexual orientation, genetic data, biometric data used for identification, and political opinions.
We will only collect and use special category data where it is necessary for a specific purpose connected with our activities, such as considering accessibility needs, supporting safe participation in events or campaigns, making reasonable adjustments, responding to safeguarding or welfare matters, administering event participation, or meeting legal and regulatory obligations.
Where we process special category data, we will identify both a lawful basis under Article 6 UK GDPR and a separate special category condition under Article 9 UK GDPR. Depending on the circumstances, these may include your explicit consent, processing necessary for reasons of substantial public interest, processing necessary to protect vital interests, processing necessary for legal claims, or processing necessary for employment, social security or social protection obligations where applicable.
We will not use special category data for marketing purposes unless we have your explicit consent and it is appropriate to do so. We will only share special category data where necessary, proportionate and subject to appropriate safeguards, for example with event delivery partners, medical or welfare support providers, safeguarding personnel, venues, insurers, professional advisers, regulators or public authorities where required.
We apply enhanced protections to special category data, including limiting access to those who need it, using secure systems, applying appropriate retention periods, and deleting or anonymising the information when it is no longer needed for the purpose for which it was collected.
5. Criminal Offence Data and DBS Checks
We may process criminal offence data in limited circumstances where this is necessary and proportionate for our activities, including where we carry out, request, verify or record Disclosure and Barring Service (DBS) checks for certain roles, volunteers, contractors, staff, safeguarding positions, accreditation, access-controlled areas or event-related responsibilities.
Criminal offence data may include information about criminal convictions, cautions, allegations, investigations, safeguarding concerns, barred-list status, DBS certificate information, risk assessments, security incidents or other information relating to offences or alleged offences.
We will only process this information where we have a lawful basis under Article 6 UK GDPR and a valid condition under the Data Protection Act 2018 for processing criminal offence data. Depending on the circumstances, this may include legal obligations, safeguarding, substantial public interest, preventing or detecting unlawful acts, protecting the public, protecting children or vulnerable individuals, employment or volunteering suitability checks, legal claims, or where processing is otherwise authorised by law.
Where we undertake DBS checks, we will normally only request the level of check appropriate to the role and will not routinely retain DBS certificates. We may record limited information such as the date of the check, type of check, certificate number where necessary, outcome status, role assessed and any recruitment, safeguarding or suitability decision made. Access to this information will be restricted to those who need it for safeguarding, compliance, recruitment, accreditation or risk-management purposes.
We may share criminal offence data or DBS-related information only where necessary and lawful, for example with DBS bodies, safeguarding leads, authorised accreditation or event security teams, relevant regulators, law enforcement, professional advisers, insurers, public authorities, or organisations with a legitimate safeguarding or legal need to receive the information.
Criminal offence data and DBS-related information will be subject to enhanced security and retention controls. We will retain it only for as long as necessary for the purpose for which it was collected, to meet legal or safeguarding obligations, to evidence decisions, or to deal with complaints, claims or investigations.
6. How We Collect Your Personal Data
We collect personal data through the following means:
Direct interactions: when you contact us by email, telephone, or via our website contact form; when you enter into a contract with us; or when you subscribe to our communications;
Automated technologies: when you browse our website, we may automatically collect technical and usage data via cookies and similar technologies (see Section 9);
Third parties: including publicly available sources and sponsors; and
Fundraising and payment partners: when you donate, register, subscribe or purchase Champions Programme membership through platforms such as Enthuse or Stripe, your information may be shared with us securely in accordance with their privacy notices.
7. Legal Basis for Processing
We process your personal data only where we have a valid legal basis to do so under the UK GDPR and the Data Protection Act 2018 (“DPA 2018”). The legal bases we rely upon are:
(a) Contractual necessity: where processing is necessary to perform a contract with you, or to take pre-contractual steps at your request (UK GDPR Art. 6(1)(b)).
(b) Legitimate interests: where processing is necessary for our legitimate business interests (or those of a third party), provided those interests are not overridden by your rights and interests (UK GDPR Art. 6(1)(f)). Our legitimate interests include operating and improving our services, managing our business relationships, and preventing fraud.
(c) Legal obligation: where processing is necessary for compliance with a legal obligation to which we are subject (UK GDPR Art. 6(1)(c)), such as tax, accounting, and regulatory requirements.
(d) Consent: where you have given us clear, freely given, informed, and unambiguous consent to process your personal data for a specific purpose (UK GDPR Art. 6(1)(a)), such as for marketing communications. You may withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal.
(e) Recognised legitimate interests: where processing is necessary for the safeguarding vulnerable people; responding to emergencies; preventing or investigating crime; national security, public security and defence; and sharing personal information with an organisation that needs that data for their public task or function at their request.
8. Purposes of Processing
We use your personal data for the following purposes:
To deliver and administer the services you have requested or contracted with us;
To respond to enquiries, feedback, and support requests;
To manage our commercial relationship with you, including billing and contract management;
To send you marketing communications where you have provided consent or where we rely on legitimate interests (with an opt-out available at all times);
To improve our website, services, and user experience through analytics;
To comply with applicable laws and regulations, including tax and accounting obligations;
To detect, prevent, and investigate fraud, security incidents, and other unlawful activity;
To enforce our terms and conditions and to protect our legal rights.
To ensure the safety and accessibility of our events for participants, spectators, volunteers, contractors and staff.
To process and acknowledge Champions Programme applications, donations, sponsorships and related membership benefits;
To keep accurate financial, supporter, commercial and sponsorship records, including records needed for HMRC reporting and Gift Aid claims where applicable;
To fulfil Champions Programme benefits, including merchandise, supporter communications and tier-related benefits.
9. Sharing and Disclosure of Personal Data
We do not sell your personal data to third parties. We may share your data in the following limited circumstances:
Service providers and processors We engage trusted third-party suppliers who process data on our behalf (for example, IT systems providers, payment processors, email platforms, and analytics providers). These suppliers are bound by data processing agreements and may only process your data on our instructions.
Champions Programme, fundraising and fulfilment partners We may share limited personal data with payment processors and banks, Stripe, Enthuse, HMRC for Gift Aid claims, contracted commercial and sponsorship suppliers including Goodform and Champions PLC, and fulfilment partners who send merchandise or administer Champions Programme benefits. We only share the personal data needed for those purposes and require appropriate safeguards and contractual protections.
Business partners Where necessary to deliver our services, we may share data with co-organisers, venues, or other event partners. We will ensure appropriate contractual protections are in place.
Legal and regulatory authorities We may disclose data where required by law, court order, or regulation; or where necessary to protect our legal rights or the rights of others.
Business transfers In the event of a merger, acquisition, or sale of assets, personal data may be transferred as part of that transaction. We will notify you of any such change and ensure your rights are protected.
10. International Transfers of Personal Data
In the course of providing our services, your personal data may be transferred to, and processed in, countries outside the United Kingdom. Some of our third-party service providers and business partners operate outside the UK.
Where we transfer personal data internationally, we ensure that appropriate safeguards are in place in accordance with the UK GDPR and DPA 2018, including:
Transfers to countries which the UK Secretary of State has determined to offer an adequate level of data protection (“adequacy regulations”);
Use of UK International Data Transfer Agreements (IDTAs) or UK Addenda to the EU Standard Contractual Clauses, as approved by the Information Commissioner’s Office;
Other legally recognised transfer mechanisms as may be applicable.
You may request further information about the specific safeguards in place for any international transfer by contacting us at the details in Section 1.
11. Cookies and Tracking Technologies
Our website uses cookies and similar tracking technologies to improve your browsing experience and to help us understand how our site is used. A cookie is a small text file placed on your device when you visit a website.
11.1 Types of Cookies We Use
Strictly necessary cookies Required for the operation of our website. These cannot be switched off. No consent is required for these cookies.
Analytical/performance cookies Allow us to recognise and count website visitors and understand how visitors move around the site. This helps us improve the way our website works (for example, ensuring pages load correctly). We use Squarespace Analytics for this purpose.
Marketing cookies Used to deliver relevant advertising to you and to track the effectiveness of marketing campaigns. We obtain your consent before placing these cookies.
Your cookie choices When you first visit our website, you will be presented with a cookie consent banner. You can withdraw or change your cookie preferences at any time through your browser settings or our cookie preference centre. Please note that disabling certain cookies may affect the functionality of our website.
If you interact with our website or payment and fundraising platforms, cookies and similar technologies may be used to improve user experience and support secure transactions. More information is available in our Cookie Policy.
12. Data Retention
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting obligations.
Our general retention periods are:
Transaction and donation records: 6 years for legal and tax purposes;
Marketing records: retained until consent is withdrawn or otherwise in line with our retention schedule.
Client and contract records: 7 years from the end of the commercial relationship (to comply with statutory limitation periods and tax obligations);
Prospect and marketing contact records: 3 years from last interaction, or until consent is withdrawn;
Website analytics data: 26 months from collection (standard analytics tool retention);
Correspondence and enquiry records: 3 years from last contact.
DBS and criminal offence data: retained only for as long as necessary for safeguarding, recruitment, accreditation, legal, regulatory or risk-management purposes, and not routinely retained as full DBS certificates unless legally required or necessary for a specific issue.
Where there is no defined retention period for a specific category of data, we will review and delete personal data when it is no longer necessary for the purpose for which it was collected.
13. Your Rights
Under the UK GDPR and DPA 2018, you have the following rights in relation to your personal data:
Right of access (Subject Access Request):You have the right to request a copy of the personal data we hold about you, together with information about how and why we process it. We will respond within one calendar month.
Right to rectification You have the right to request correction of inaccurate personal data or completion of incomplete data.
Right to erasure (‘right to be forgotten’) You may request deletion of your personal data where there is no compelling reason for its continued processing. This right is not absolute and may be limited by legal obligations.
Right to restriction of processing You may request that we restrict the processing of your data in certain circumstances, for example while a complaint is being investigated.
Right to data portability Where we process your data by automated means on the basis of your consent or a contract, you may request that we provide your data in a structured, commonly used, machine-readable format.
Right to object You have the right to object to processing based on our legitimate interests, and to object to the use of your personal data for direct marketing purposes at any time.
Rights in relation to automated decision-making You have the right not to be subject to decisions made solely by automated processing (including profiling) where those decisions produce legal or similarly significant effects on you. We do not currently carry out such processing.
Right to withdraw consent Where we rely on consent as the legal basis for processing, you may withdraw that consent at any time. Withdrawal will not affect the lawfulness of processing carried out prior to withdrawal.
To exercise any of these rights, please contact us using the details set out in Section 1. We will not charge a fee for handling rights requests unless the request is manifestly unfounded or excessive. We may need to verify your identity before processing your request.
14. Marketing Communications
Where you have given us consent, or where we rely on legitimate interests, we may contact you with information about our services, events, and promotions. You can opt out of marketing communications at any time by:
Clicking the “unsubscribe” link in any marketing email we send;
Contacting us directly at contact@invictusgames2027.org
Please note that even if you opt out of marketing, we may still need to contact you for administrative or service-related purposes.
You can unsubscribe from marketing messages at any time by following the prompt at the bottom of our newsletters or by contacting us directly. In limited circumstances, such as when you start but do not submit an online registration form, we may contact you to check whether you need assistance or to avoid you thinking a registration has been submitted when it has not.
15. Data Security
We have implemented appropriate technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include access controls, encryption, secure network infrastructure, and regular staff training.
Where we engage third-party processors, we require them by contract to maintain equivalent security standards.
In the event of a personal data breach that is likely to result in a risk to individuals’ rights and freedoms, we will notify the Information Commissioner’s Office (ICO) within 72 hours and, where required, affected individuals without undue delay.
16. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in law, regulatory guidance, or our business practices. The “Last updated” date at the top of this document indicates when the Policy was last revised.
Where we make material changes, we will notify you by email (if we hold your contact details) or by posting a prominent notice on our website. We encourage you to review this Policy periodically.
17. Complaints and the Right to Lodge a Complaint
If you have any concerns about how we handle your personal data, we encourage you to contact us in the first instance using the contact details in Section 1, so that we may address your concern directly.
If you remain dissatisfied, you have the right to lodge a complaint with the UK supervisory authority:
Information Commissioner’s Office (ICO)
Website: https://ico.org.uk
Telephone: 0303 123 1113
Post: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
18. Contact Us
If you have any questions, queries or complaints, or wish to exercise any of your personal data rights, please contact us. Email is our preferred method of communication as it is quicker, more convenient, cheaper and has less environmental impact.
By email: contact@invictusgames2027.org
By post: Supporter Care, Invictus Games Birmingham 2027, 199 Borough High Street, London, SE1 1AA
By telephone: 0121 516 8993