Privacy Policy
Last updated: 7 July 2026
1. Who we are
CampVesta™ is a SaaS platform that helps holiday and summer camp operators manage staff, sites, modules and child registrations. Camp operators are the data controllers; CampVesta is the data processor.
CampVesta™ is a product of TanSarK Ltd, a company registered in England & Wales. ICO Registration Number: ZB251076. © 2026 TanSarK Ltd. All Rights Reserved.
For privacy questions email privacy@campvesta.com.
2. Data we process
- Operator & staff: name, email, phone, role, DBS / background-check status, availability, assignments.
- Children: name, age, parent contact, emergency contact, medical and consent notes.
- Operational: sites, camps, daily schedules, modules, attendance.
- Technical: IP address, browser/device, authentication tokens and security logs.
3. Cookies & similar technologies
CampVesta uses two categories of cookies and local storage:
- Strictly necessary: authentication session, security tokens, your cookie-consent choice. These do not require consent under UK / EU PECR and GDPR.
- Optional (analytics): aggregated usage to improve the product. Only set after you click "Accept all". You can withdraw consent at any time by clearing your browser's site data for this domain.
We do not use advertising or cross-site tracking cookies.
4. Lawful basis (UK & EU GDPR)
- Contract — to deliver the platform to the Operator.
- Legitimate interest — to secure accounts and prevent abuse.
- Consent — for optional analytics cookies and for parental consent recorded by Operators.
- Legal obligation — to retain records where required by safeguarding or tax law.
5. Your rights
Depending on where you live you may have the right to access, correct, delete, restrict, port, or object to processing of your personal data, and to lodge a complaint with a supervisory authority. Requests should be sent to your camp Operator, who will work with CampVesta to fulfil them within statutory deadlines (typically 30 days in the UK/EU, 45 days in Canada, 30 days in the UAE).
6. Children's data
- UK / EU: Article 8 GDPR — processing of a child's data requires parental consent for under-13s (UK) / under-16s (EU member-state dependent).
- United States: COPPA — verifiable parental consent is required for under-13s. Operators must record this consent before uploading data.
- Canada: PIPEDA & Quebec Law 25 — meaningful parental consent is required for minors.
- Australia: APPs apply; consent is generally required from a parent or guardian for under-15s in practice.
- UAE: PDPL Federal Decree-Law 45/2021 — explicit consent from a guardian for processing children's data.
7. International transfers
Data is hosted in secure cloud infrastructure. Where data leaves the UK / EEA, CampVesta relies on Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum.
8. Retention
Operational data is retained while the camp season is active and for a defined safeguarding window thereafter (typically 12 months) unless Operators set a shorter period or local law requires longer. On request or on account closure, data is exported for 30 days then permanently deleted.
9. Security
CampVesta enforces role-based access control, row-level security at the database tier, encrypted transport (TLS), and at-rest encryption of stored data. Sensitive medical and consent fields are restricted to Super Admin and Site Manager roles.
10. Breach notification
Where required, CampVesta will notify Operators without undue delay so they can meet their statutory breach-notification deadlines (72 hours under UK/EU GDPR, comparable timelines under PIPEDA, NDB scheme in Australia and UAE PDPL).
11. Changes to this policy
Material changes will be communicated by email or in-app at least 14 days before they take effect.
12. Contact
Privacy questions should be directed to your Operator administrator, who can escalate to the CampVesta team via the in-platform support channel.