Activity Time
Privacy Policy
Last updated: June 2025Definitions
For clarity, the following terms are used in this Privacy Policy:
- Personal Data: Any information that can identify an individual directly or indirectly (e.g. name, email, child’s age).
- Processing: Any operation performed on personal data (e.g. collecting, storing, sharing).
- Data Controller: Activity Time, who determines the purposes and means of processing your data.
- Data Processor: A third party that processes data on our behalf (e.g. Stripe, AWS).
- Cookies: Small text files placed on your device to help the site function and improve the user experience.
1. Introduction
Activity Time ("we", "our", "us") respects your privacy and is committed to protecting your personal data. This Privacy Policy outlines how we collect, use, and safeguard your information when you interact with our services, whether as a provider or a parent.
2. What Data We Collect and Why
We collect the following types of data to enable and improve our services:
| Data Type | Purpose | Legal Basis |
|---|---|---|
| Name, email, password | Account creation and login | Contract |
| Provider business details | Listing activities | Contract |
| Payment details (via Stripe) | Booking payments | Contract |
| Child’s name, age, notes | Activity booking, child-specific communication | Legitimate Interest / Consent |
| Booking history | Service delivery and administration | Contract |
| Device/IP info | Site performance, fraud prevention | Legitimate Interest |
| Email engagement (if opted-in) | News, onboarding, support | Consent |
3. Children’s Data
We collect limited data about children (e.g. name, age, health notes) only as necessary to complete bookings. This data is submitted by parents or guardians, and we do not knowingly allow account creation by children. By providing this information, you confirm you are the parent or legal guardian with the authority to do so.
4. How We Store and Protect Your Data
- All data is securely hosted via Sharetribe and Amazon Web Services (AWS).
- Payments are securely processed via Stripe, a PCI-compliant provider.
- Emails are delivered using SendGrid.
- Access to data is restricted to authorised personnel only.
We regularly review and update our data handling practices in line with industry standards.
5. Third-Party Processors
To deliver a smooth and secure user experience, Activity Time works with a select group of trusted, GDPR-compliant technology providers. These are well-known infrastructure and service platforms, commonly used across the industry to support secure hosting, payments, communications, and analytics.
| Service Provider | Service Provider |
| Platform Hosting | Provider-grade infrastructure (e.g. Sharetribe) |
| Payment Processing | PCI-compliant services (e.g. Stripe) |
| Email Communication | Email delivery tools (e.g. SendGrid) |
| Analytics Management | Tag management and future analytics |
| Cloud Storage | Secure cloud hosting (e.g. AWS) |
We do not sell user data and only work with processors that offer strong security and compliance standards. Any future additions—such as tools for authentication (e.g. Auth0), analytics, or CRM—will follow the same principles and be clearly documented here if activated.
6. Cookies and Tracking
Activity Time uses essential cookies to enable secure, smooth operation of our platform — including logins, activity bookings, and payment processing. These cookies are strictly necessary and cannot be disabled through the site.
We do not currently use tracking or analytics cookies. If and when we introduce optional cookies (e.g. for analytics or marketing), we will update this policy and give users the ability to consent or decline before any such cookies are placed.
7.Your Rights Under GDPR
You have the right to:
- Access your personal data
- Correct inaccuracies
- Request deletion ("right to be forgotten")
- Object to or restrict processing
- Withdraw consent at any time
- Lodge a complaint with the Data Protection Commission (Ireland)
To exercise these rights, please email support@activity-time.com.
8. Data Retention
We retain personal data only as long as necessary for the purposes stated above. Inactive user accounts and their associated data are deleted after 24 months unless required for legal or tax reasons.
9. Data Breaches
In the event of a data breach involving your personal data, we will notify affected users and the Data Protection Commission (Ireland) within 72 hours, in accordance with GDPR.
Automated Decision-Making and Profiling
Activity Time does not use automated decision-making or profiling that produces legal effects or significantly affects individuals. If this changes in the future, we will update this policy and provide appropriate safeguards and rights under GDPR.
In the event of a data breach involving your personal data, we will notify affected users and the Data Protection Commission (Ireland) within 72 hours, in accordance with GDPR.
10. Provider Content Responsibility
Providers are solely responsible for the content they upload, including text, images, and videos. By uploading media, providers confirm they have secured appropriate rights and have received:
- Consent from any individuals pictured
- Consent from parents or legal guardians in the case of minors
Activity Time does not pre-screen uploaded content but reserves the right to remove any content that breaches privacy or legal standards.
11. Garda Vetting and Insurance Declarations
Before listing any activities, providers must confirm that:
- All staff involved have been Garda vetted for working with children
- They hold appropriate and sufficient insurance coverage for the activity
Activity Time does not request or verify these documents. Parents and guardians may request them directly from the provider. If we receive a credible complaint, Activity Time reserves the right to suspend or remove the provider’s listings without refund while the matter is investigated.
12. Jurisdiction and International Data Transfers
Activity Time is based in Ireland and complies with applicable data protection laws, including the EU General Data Protection Regulation (GDPR) and the UK General Data Protection Regulation (UK GDPR).
We are committed to protecting user privacy regardless of geography. Where we collect or process personal data from users in other countries or regions outside the EU or UK, we apply the same principles of transparency, security, and control. We strive to meet or exceed the local data protection standards in each region where our services are offered.
Your data may be transferred to, and processed in, countries outside your country of residence, including countries that may not provide the same level of data protection. In such cases, we ensure that appropriate safeguards are in place — such as Standard Contractual Clauses, data processing agreements, or other lawful transfer mechanisms — to protect your information in accordance with applicable law.
We may appoint data protection representatives in other jurisdictions if required by law or regulation as our services expand globally.
13. Contact and Data Protection Officer
Data Protection Officer (DPO):
Audrey Vance /CEO
