PVRSC

Privacy Policy

Penrith Valley Regional Sports Centre Limited · ABN 55 003 495 583
Last reviewed: 14 May 2026

1. About this policy

This policy explains how Penrith Valley Regional Sports Centre Limited (we, us, our) handles personal information collected through the PVRSC Members Portal (the Portal). We are bound by the Privacy Act 1988 (Cth), including the Australian Privacy Principles (APPs), and we follow them in handling your personal information.

By creating an account or otherwise using the Portal, you acknowledge this policy. If you don't agree with how we handle your information, please don't use the Portal.

2. What we collect, and why

The Portal needs specific information to register members, run competitions, process payments, communicate with participants, and meet our duty-of-care to people on our premises. We only collect what we actually need.

Information you give us directly

  • Identity — first name, last name, preferred name, date of birth, sex (for sport eligibility), gender identity (optional), Aboriginal and/or Torres Strait Islander status (optional, for grant reporting), country and state of birth (optional).
  • Contact — email address, mobile and home phone, residential and postal address.
  • Health and safety — emergency contacts (two people you nominate), disability status (yes/no), medical conditions or allergies you choose to disclose so we can respond appropriately on the court.
  • Account — password (we store only a hashed form; we cannot recover it), two-factor-authentication secret (when you enable 2FA), session and device fingerprints (last login time and IP address) for security review.
  • Avatar / photo — an emoji avatar (default) or, if you choose to upload one, a profile photo. Photos are governed by separate photo consent rules described in section 7.
  • Family / dependants — if you register a child under 18, you provide their identity, DOB, and health information on their behalf, and confirm you have the right to do so as their parent or legal guardian.
  • Free Agent profile (optional) — sport, skill level, preferred position, height, gender preferences for teammates, a short bio.
  • Payment details — when you pay online by card, the card details are entered directly into Stripe's secure form; we never see, receive or store your card number, CVC, or expiry. We do retain the payment outcome (amount, last 4 digits, reference) for accounting and refund purposes.
  • Communications — anything you send us by email, the support form, or in app messages.

Information generated by your use of the Portal

  • Activity — teams you nominate or join, fixtures played, scores entered, suspensions issued, fines incurred, attendance.
  • Audit log — significant actions on your account (login, password change, profile edit, payment, role change) are logged with a timestamp and the acting user's ID. This is a legal and security requirement, retained for seven (7) years.
  • Cookies and similar — see section 9.

Information from third parties

  • Stripe — when you pay, Stripe returns the result of your card transaction and a Stripe Customer ID we link to your account so future payments are faster. See section 6.
  • Other guardians or captains — if a team captain registers you for a roster, or another guardian invites you to co-manage a child's account, we receive your name and email from them. We notify you when this happens and you can decline or remove yourself.

3. How we use it

We use your personal information only for the purposes you would reasonably expect when using a members portal:

  • Operating the Portal — running competitions, managing teams and rosters, scheduling fixtures, tracking results and ladders, processing payments and refunds, sending fixture and account notifications, providing first-aid information in an emergency.
  • Eligibility — using DOB and sex/gender to check age-bracket and category eligibility for the competitions you nominate for.
  • Safety and compliance — running our duty-of-care obligations on premises (emergency contacts, medical disclosures), responding to incidents, complying with insurance and regulator requests where lawfully required.
  • Communication — sending you transactional messages (verify-email, password reset, fixture changes, payment receipts, captain notifications, suspension notices). You can't opt out of essential transactional emails for as long as you have an active account.
  • Marketing — only if you've explicitly ticked the marketing opt-in. See section 4.
  • Improving the Portal — aggregate, de-identified usage statistics to fix bugs and prioritise features. We do not run third-party analytics or advertising trackers.
  • Legal compliance — meeting our obligations under the Australian Taxation Office (invoicing, GST), Australian Consumer Law, Spam Act 2003, child-safe-organisation principles, and other applicable laws.

We do not use your personal information for any other purpose unless you've consented or we're required by law.

4. Direct marketing (APP 7)

If you have a current account with us, we may occasionally send you marketing communications about new competitions, programs, and events at PVRSC. Every marketing message includes a one-click unsubscribe link, in compliance with the Spam Act 2003.

Adult accounts (18+). When you create an account, you're added to the marketing list by default. Agreement to the Terms & Conditions at signup is your consent (the Terms include a dedicated marketing clause — section 14). Under the Spam Act 2003, that's express consent disclosed at the point of collection, with implied consent reinforcement from your active membership relationship with PVRSC. You can opt out at any time from your profile or via the unsubscribe link in any of our marketing emails — opting out takes effect within a minute.

Minor accounts (under 18). Different rules apply. No marketing email is sent until a parent or guardian has explicitly ticked the marketing opt-in box on the guardian-approval page (or later on the child's profile). The default for minors is opt-out; we treat marketing to under-18s as a separate consent decision a guardian must make, rather than something they get implicitly.

Opting out of marketing does not affect transactional or safety messages (fixture changes, payment receipts, suspension notices, emergency contact). Those continue while you have an active account.

How we send marketing email

We use Mailchimp (The Rocket Science Group LLC) as our email-marketing platform. When you tick the marketing or newsletter opt-in, the following fields are pushed to Mailchimp on your behalf so that you appear in our audience list and we can segment campaigns appropriately:

  • Email address
  • First and last name
  • Suburb, state, and postcode (for region-specific event invites)
  • Birth month and day only — not the year (powers birthday greetings without disclosing age)
  • The year you joined PVRSC
  • Short non-sensitive tags that drive list segmentation (e.g. sport:basketball, is_captain, wants:newsletter)

We do not push your full date of birth, mobile number, address line, gender, medical information, emergency contact, financial information, or any other sensitive detail to Mailchimp. If you toggle the opt-in off, we remove you from the Mailchimp audience on the next sync — typically within a minute. Mailchimp processes data on servers located in the United States; see section 10 for cross-border details.

From time to time we may switch to or supplement Mailchimp with another reputable marketing-list service to help us run programs and events more efficiently. Any such service will be subject to the same opt-in requirement, the same field-minimisation rules above, and the same Australian Privacy Principles. This page will be updated and the “Last reviewed” date refreshed before the change goes live.

5. Children and minors

The Portal is not intended for children under 13. We hard-block self-signup by anyone whose stated date of birth places them under 13. If you become aware that a child under 13 has somehow created an account, please contact us at office@pvrsc.com.au and we'll remove it.

Children aged 13–17 may register an account themselves, but the account is held under "guardian approval pending" status until a parent or guardian confirms via an emailed approval link. Until that confirmation arrives the account is dormant — it cannot nominate for a team, pay fees, or interact with other users.

For children under 18 who are parent-managed (most commonly under-13s, often registered by their parent on their behalf), the parent or legal guardian holds the account and is the legal point of contact. The child has no separate login. The parent's consent covers everything we do with the child's information.

Minor protections always applied:

  • Player names of under-18s are displayed as "First L." on rosters and never in full to other members (admins and the player's own family see the full name).
  • An optional privacy mode can be turned on for any account, providing an alias and masked photo on all public surfaces. This is intended for AVO-affected members, child-safety scenarios, or anyone who prefers heightened anonymity.
  • Photos of under-18s are never displayed publicly without explicit per-photo consent recorded on the child's profile.
  • Age itself is never displayed to other members — minors appear simply as "Minor" on any page where age might otherwise show.

6. Who we share information with

We disclose personal information to third parties only when necessary to operate the Portal, comply with the law, or with your consent. These are the parties involved:

Service providers (data processors acting on our behalf)

  • Stripe Payments Australia Pty Ltd — handles card payments and recurring billing where applicable. Stripe is a PCI-DSS Level 1 certified processor and may store and process data outside Australia (primarily United States and Ireland). Stripe's own privacy policy applies to the data they collect directly: stripe.com/au/privacy.
  • Microsoft Corporation (Office 365 / Outlook) — transactional email delivery. Email contents pass through Microsoft servers (some of which sit overseas) but are not used by Microsoft for any purpose other than delivery.
  • The Rocket Science Group LLC (Mailchimp) — email marketing platform. Only members who have ticked the marketing opt-in are pushed; only the limited field set described in section 4 is shared. Mailchimp is United States-based and is bound by its own privacy and security commitments: mailchimp.com/legal/privacy.
  • Our web hosting provider — hosts the Portal database in Australia. The host has access to the underlying storage and is contractually bound to handle data only as our processor.
  • Other reputable service providers we may engage — from time to time we may add or substitute providers in the categories above (payments, transactional email, marketing email, hosting, analytics) to help us manage the centre. Any new provider will be added to this list before they receive any personal information from us, and the “Last reviewed” date will be updated. We will continue to apply data-minimisation and APP 8 (cross-border) due diligence to each.

People you've connected to your account

  • Team captains — when you join a team, your captain sees your first name, last name, jersey number, and email so they can communicate fixture details. They do not see your DOB, address, medical info, or payment history.
  • Teammates — your name (in minor-protected form if under 18 or in privacy mode) appears on the team roster and player lists visible to other members of your team.
  • Guardians — co-guardians you have invited see the child's full profile and family administration tools.
  • Free Agent profile readers — if you publish a Free Agent profile, captains in matching competitions can see the fields you've chosen to share. The profile is privacy-mode-aware and you control which fields are visible.

Where the law requires

We will disclose information to law enforcement, courts, regulators, or other authorities when compelled by a valid legal process (subpoena, warrant, mandatory reporting obligation), or where reasonably necessary to lift a safety threat to a person.

We do not sell

We have never sold personal information to a third party and have no intention of doing so. We do not share information for any party's marketing purposes other than our own (see section 4).

7. Photos

Upload of a profile photo is optional. By uploading you confirm:

  • You are the person in the photo, or you have the right to upload that image (e.g. you are the parent uploading a photo of your child).
  • For under-18s, you give specific consent for that photo to appear on rosters and Free Agent cards visible to teammates and captains. Photos of under-18s are never displayed to non-team viewers without further consent.
  • You can remove the photo at any time via your profile (or your child's family profile).

Photos taken at events by the venue or its photographers are governed by the separate event photography notice posted on site at the time and are not part of this Portal privacy policy.

8. Security (APP 11)

We take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification, or disclosure. These include:

  • HTTPS / TLS encryption for all traffic between your browser and the Portal.
  • Passwords stored only as bcrypt hashes — we cannot read the originals.
  • Optional two-factor authentication (TOTP) for all members; mandatory 2FA for admin accounts.
  • Per-action audit logging.
  • Rate limiting and account lockout to deter brute-force attacks.
  • Step-up reauthentication for sensitive actions (changing email, viewing payment history).
  • Role-based access — admin actions are limited to staff with admin role; staff access to your data is logged.

No system is perfectly secure. If we ever become aware of a data breach likely to result in serious harm to you, we'll notify you and the Office of the Australian Information Commissioner (OAIC) in line with the Notifiable Data Breaches scheme.

9. Cookies and tracking

The Portal uses a small number of strictly necessary cookies. We do not run Google Analytics, Meta Pixel, or any third-party advertising or behavioural-tracking tool.

  • pvrsc_portal — session cookie that keeps you logged in. Expires when you close your browser or after 30 days of inactivity. Required for the Portal to work.
  • CSRF token — short-lived token embedded in forms to prevent cross-site request forgery.
  • Stripe cookies — set by Stripe's checkout flow during a payment. Governed by Stripe's privacy policy.

You can block cookies in your browser, but the Portal will not work without the session cookie. We do not display a cookie banner because we don't set any non-essential cookies — under the current Australian regulatory position, banners for strictly-necessary cookies are not required.

10. Cross-border disclosure (APP 8)

Some of our service providers — notably Stripe, Microsoft Office 365, and Mailchimp — process data on servers located outside Australia, including in the United States, Ireland, and the European Union. Where that occurs, we have taken reasonable steps to ensure the overseas recipient does not breach the APPs in relation to your information. By using the Portal you acknowledge and consent to this overseas transfer for the purposes described in section 6.

11. How long we keep your information

We retain personal information only as long as it's needed for the purposes set out in this policy, or as required by law:

  • Active member data — for the duration of your account, plus a transition period if you ask us to deactivate.
  • Audit log — seven (7) years, in line with Australian record-keeping obligations under the Corporations Act 2001 and the Privacy Act 1988 guidance.
  • Financial records — at least seven (7) years for tax (ATO requirement).
  • Deletion requests — when you request deletion, we soft-delete identifying details immediately and purge the underlying records on a quarterly cycle, except where retention is legally required (audit log, paid invoices, suspensions affecting other members' eligibility).

12. Access and correction (APP 12 & APP 13)

You can access and correct most of your information directly from your profile page while logged in. For things you can't change yourself (audit log, historical billing, suspension history), you can request a copy or a correction by emailing office@pvrsc.com.au.

We'll respond within 30 days. If we decline a correction or refuse access, we'll explain why in writing and let you know how to escalate (see section 14).

To deactivate or delete your account entirely, request it from your account's Security page. We confirm the request and process it within a reasonable time.

13. Anonymity and pseudonymity (APP 2)

The Portal exists to run identified-participant competitions and to discharge our duty of care — so for most interactions we need to know who you are. Where it's lawful and practicable to interact with us anonymously or under a pseudonym, you may do so (for example, casual feedback or general queries that don't relate to a specific account or event). Account registration itself requires real identity.

14. Complaints

If you believe we have breached the Australian Privacy Principles or otherwise mishandled your personal information, please email office@pvrsc.com.au with the subject line "Privacy complaint". We'll acknowledge your complaint within 5 business days and aim to substantively respond within 30 days.

If you're not satisfied with our response, you may escalate to the Office of the Australian Information Commissioner (OAIC):

15. Changes to this policy

We may update this policy from time to time. Material changes (e.g. a new data sharing relationship, a new category of collection) will be flagged on the Portal — typically by an in-app notice the next time you log in. The "Last reviewed" date at the top of the page reflects the most recent change.

16. How to contact us

Penrith Valley Regional Sports Centre Limited
ABN 55 003 495 583
PO Box 8094, Werrington County, NSW 2747
Phone: (02) 47 313 222
Email: office@pvrsc.com.au