How Activora collects, uses, shares and protects your personal data — and the rights you have over it.
Last updated: June 2025 · Version 1.1
This policy explains how Activora (“we”, “us”) handles your personal data when you use our platform at activora.co.uk. Please read it carefully before registering.
Activora is a two-sided marketplace connecting qualified activity instructors with the providers who need them. We operate at activora.co.uk and are the data controller for all personal data collected through this platform.
We are registered with the Information Commissioner's Office (ICO) under registration number ZC171599.
Data protection contact: privacy@activora.info
General enquiries: contact@activora.info
When you register we collect your name, email address, and a hashed password. We also record your account role (instructor or provider), the date you registered, and your last login.
Instructors may provide: full name, profile photograph, location (town and postcode), biography, activity sectors, qualifications and certifications (including awarding body, level and expiry date), insurance status, DBS status (see Section 3), availability schedule, and hourly or day rate.
Providers may provide: organisation name, contact name, organisation type, primary location, sectors of operation, website URL, and a logo or cover image.
When providers post roles we store the role title, description, location, date, time, pay rate, activity sector, and role status. When instructors apply for roles we store the application, its status, and any messages exchanged in that context.
Instructors can publish availability slots with a status (available, busy, tentative), time window, and optional notes. This information is visible to providers searching the platform.
Messages sent between instructors and providers through the platform are stored on our servers. Each message records the sender, recipient, content, timestamp, and read status. Messages are linked to a specific role context to prevent unsolicited contact.
Subscription and payment processing is handled entirely by Stripe. We store a Stripe customer ID and subscription status in our database but never hold card numbers, sort codes or full payment details.
We may collect server logs, IP addresses, browser type, device type, and pages visited to maintain platform security and diagnose errors. This data is not used for advertising.
Some data we handle requires extra care under UK GDPR. We collect the minimum necessary and explain below how each type is used.
We collect a self-declared DBS status toggle (enhanced DBS held: yes / no / in progress) as part of instructor profiles. We do not collect DBS certificate numbers, issue dates, or the content of disclosures. Providers can see an instructor's declared DBS status when viewing their profile. Instructors are responsible for the accuracy of this declaration. We strongly recommend providers conduct their own independent DBS verification before engaging any instructor to work with children or vulnerable adults.
We collect details of professional qualifications and certifications (e.g. British Canoeing Instructor award, Mountain Training qualifications, NGB coaching awards) including awarding body, qualification level, and expiry date where provided. This data is displayed on instructor profiles and used by providers when considering applications. We treat this as professionally sensitive data and do not share it beyond what is necessary for the matching and application process.
Instructors may declare that they hold public liability insurance. We store the declared status only — not policy numbers, provider details, or policy documents. As with DBS, providers remain responsible for independently verifying insurance before engagement.
Profile photos are displayed publicly on instructor profiles within the platform. You should only upload a photo of yourself and should not upload images of third parties without their consent. Photos are stored on our secure storage provider (Supabase Storage).
We store town and postcode for instructors and providers. This is used to calculate proximity in search results. We do not collect GPS or precise real-time location data.
Messages between instructors and providers may contain personal or professionally sensitive content. Message content is not read by Activora staff except where required to investigate a reported breach of our Terms of Service or where we are legally required to disclose it.
We do not use your data for targeted advertising. We do not sell personal data to third parties.
We rely on the following lawful bases under UK GDPR:
For sensitive data such as DBS status and qualifications, we rely on the explicit provision of that information by you as a necessary condition of your use of the instructor matching service, in accordance with Article 9(2)(a) UK GDPR.
We share data only as described below. We do not sell personal data.
We use essential cookies for authentication and optional analytics cookies. See our Cookie Policy for full details. You can manage your cookie preferences at any time through our cookie banner.
We retain your account data for as long as your account is active. If you request deletion, we remove personal data within 30 days subject to the following exceptions:
Messages are retained for the duration of the conversation thread. Either party may delete their account; this will remove their profile data but message history for the other party's thread may remain in a redacted form.
Under UK GDPR you have the following rights:
To exercise any of these rights, email privacy@activora.info. We will respond within one calendar month. We may ask you to verify your identity before acting on a request.
If you are not satisfied with our response, you have the right to lodge a complaint with the ICO (registration ZC171599) at ico.org.uk.
We implement appropriate technical and organisational measures to protect your data, including HTTPS encryption in transit, hashed password storage, access controls limiting staff access to production data, and regular security reviews.
Payments are processed entirely by Stripe — we never store card details. No system is 100% secure; please use a strong, unique password and do not share your login credentials.
In the event of a data breach that poses a risk to your rights and freedoms, we will notify the ICO within 72 hours and inform affected users without undue delay where required by law.
Activora is intended for users aged 18 and over. We do not knowingly collect data from children. If you believe we hold data about a child under 18, contact privacy@activora.info to arrange deletion.
Note: while our users are adults, some instructor roles may involve working with children or vulnerable adults. Providers are responsible for ensuring appropriate safeguarding checks (including DBS verification) are carried out before engagement.
We may update this policy from time to time. Material changes will be notified by email or an in-app notice at least 14 days before they take effect. Continued use of the platform after the effective date constitutes acceptance of the updated policy. The version history is shown at the top of this page.
General questions: contact@activora.info
Data & privacy requests: privacy@activora.info