Data Protection & GDPR
How we handle client data, our obligations as a data processor, and what to do if something goes wrong.
Our Role
Under UK GDPR, the golf club is the data controller (they decide what data to collect and why) and Albatross is the data processor (we process it on their behalf through Capture). This distinction matters because it determines who is responsible for what.
| Responsibility | Who |
|---|---|
| Lawful basis for holding member data | The club (controller) |
| Privacy policy on their website | The club (controller) |
| Responding to subject access requests | The club (controller), with our support |
| Deciding whether to report a breach to the ICO | The club (controller) |
| Processing data only on the club's instructions | Albatross (processor) |
| Keeping data secure on the platform | Albatross (processor) |
| Notifying the club of any breach within 72 hours | Albatross (processor) |
| Maintaining a record of processing activities | Albatross (processor) |
Key Documents
All GDPR documents are stored in Google Drive > 03_Operations > 07. GPDR.
| Document | What It Is | When to Use |
|---|---|---|
| Albatross DPA Template | Data Processing Agreement between Albatross and the club | Send alongside the service agreement before any data is uploaded. Must be signed before go-live. |
| Albatross ROPA | Record of Processing Activities spreadsheet with three tabs: Processing Activities, Sub-Processor Register, Access Register | Update when a new client signs, when someone joins or leaves the team, or during quarterly reviews. |
| Albatross Internal Data Policies | Breach notification process and internal access policy | Reference if a breach occurs. Review during onboarding. |
Data Processing Agreement (DPA)
Every Capture client must have a signed DPA in place before any personal data is uploaded to the platform. This is a legal requirement under UK GDPR Article 28.
For new clients: Send the DPA with the service agreement. Both documents need to be signed before onboarding begins.
For existing clients without a DPA: Send it retrospectively and get it signed as soon as possible.
The DPA template is pre-filled with Albatross details, the sub-processor list, and technical measures. The only thing you need to fill in is the club name.
Where Client Data Lives
Capture runs on GoHighLevel (GHL), which hosts everything on US-based servers using Google Cloud Platform and Amazon Web Services. There is no EU data centre option.
This is legally covered by:
- The UK Extension to the EU-US Data Privacy Framework
- The International Data Transfer Addendum under Section 119A(1) of the Data Protection Act 2018
Both are referenced in the DPA. If a club asks where their data is stored, the answer is: on secure US-based cloud infrastructure, protected by internationally recognised transfer safeguards and covered by a Data Processing Agreement.
GHL holds SOC 2 Type II and ISO 27001 certifications. Data is encrypted at rest (AES-256) and in transit (TLS 1.2+).
Sub-Processors
GHL uses its own chain of sub-processors. The key ones are:
| Sub-Processor | Purpose |
|---|---|
| Google Cloud Platform | Infrastructure and hosting |
| Amazon Web Services | Infrastructure and backup |
| Twilio | SMS and voice |
| Mailgun | Email delivery |
| Stripe | Payments (if applicable) |
| OpenAI | AI features |
The full list is published at gohighlevel.com/sub-processors. Check it quarterly for changes. If GHL adds a new sub-processor, we need to notify clients within 30 days per our DPA terms.
Who Has Access to Client Data
Access to client data in GHL follows the principle of least privilege: you only get access to what you need for your role.
| Person | Access Level |
|---|---|
| James Wilkinson | Full agency admin (all sub-accounts) |
| Dom | Full agency admin (all sub-accounts) |
| Rae | Sub-account access (assigned clients only) |
When someone joins: James or Dom grants access. MFA must be enabled before access is given. Update the Access Register in the ROPA spreadsheet the same day.
When someone leaves: Revoke GHL access the same day. Rotate any shared credentials. Update the Access Register with the revocation date.
If a Data Breach Happens
A data breach is any incident where personal data is accidentally lost, disclosed, altered, or accessed without authorisation.
Examples:
- Sending one club's member data to another club
- GHL platform suffers a security incident
- A laptop with saved GHL credentials is lost or stolen
- An email with personal data goes to the wrong person
- Unauthorised access to a client's sub-account
What to Do
| Step | Action | Timeframe |
|---|---|---|
| 1 | Contain it. Stop the breach if possible. Change passwords, revoke access, ask the wrong recipient to delete. Do not delete evidence. | Immediately |
| 2 | Notify James. Phone if necessary. If James is unavailable, notify Dom. | Within 1 hour |
| 3 | Notify the client. James sends a written breach notification to the club's primary contact using the template in the Internal Data Policies doc. | Within 72 hours |
| 4 | Support the client's response. The club decides whether to report to the ICO. We provide whatever information they need. We do not contact the ICO ourselves. | As needed |
| 5 | Investigate and fix. Document root cause and update processes to prevent recurrence. | Within 1 week |
| 6 | Log it. Record in the breach log. Retain for at least 3 years. | Same day as resolution |
The 72-hour clock starts when Albatross becomes aware of the breach, not when the breach occurred.
Quarterly Review Checklist
Set a reminder for the first week of January, April, July, and October.
- Review who has GHL access -- does everyone still need it?
- Check MFA is enabled for all users
- Check GHL sub-processor list for changes
- Update the "Last Reviewed" column in the ROPA for each active client
- Confirm the Access Register is accurate
Rules for Handling Client Data
- Never use one club's data to benefit another club
- Never use member data for Albatross marketing or business development
- Never download client data to personal devices unless strictly necessary, and delete it afterwards
- Never access client data unless you need to for a specific task (support, build, QA)
- Always log client interactions in GHL
The moment you start making independent decisions about what to do with client data, you move from processor to controller and take on all the liability that comes with it. Don't do that.
Lead Follow-Up System
How the Speed to Lead and Lead Autopilot systems work in Capture — pipeline stages, process flows, message templates, and staff responsibilities.
Workflow Library
The standard set of Capture workflows and automations — reference documentation for Rae and Eunice to deploy consistently across all client sub-accounts.