Privacy Policy
Last updated: 18 February 2026
1. Introduction and Scope
FieldWaiver ("we", "us", "our") is an offline-first waiver and form management platform, operated by TechTeamUp, a company based in the United Kingdom. This Privacy Policy explains how we collect, use, store, share, and protect personal information at app.fieldwaiver.com.
This policy applies globally to:
- Merchants — businesses and organisations who use the platform to create and collect waivers
- Staff — team members who use the platform on behalf of a Merchant
- End Users — individuals who complete waivers or forms through Merchant pages
We comply with the UK GDPR, EU GDPR, Data Protection Act 2018, CCPA/CPRA, and other applicable data protection laws.
2. Data Controller and Data Processor
FieldWaiver operates under a dual-role model:
- Data Controller: TechTeamUp is the data controller for Merchant account data, platform analytics, and billing data.
- Data Processor: For waiver data and customer information collected through Merchant forms, the Merchant is the data controller and TechTeamUp acts as data processor. See our Data Processing Agreement.
Data Protection Contact: Tom Watts, Director · TechTeamUp · [email protected]
3. Personal Data We Collect
3.1 Information Provided by Users
| Category | Examples | Lawful Basis |
|---|---|---|
| Merchant account data | Business name, contact name, email, phone, address | Contract (Art. 6(1)(b)) |
| Staff accounts | Names, email addresses, roles | Contract (Art. 6(1)(b)) |
| Waiver and form data | Participant name, email, phone, signature, custom form fields, emergency contacts | Contract (Art. 6(1)(b)) / Consent (Art. 6(1)(a)) |
| Subscription payment data | Processed via Stripe — we do not store card numbers. Stripe subscription IDs, transaction references | Contract (Art. 6(1)(b)) / Legal obligation (Art. 6(1)(c)) |
3.2 Information Collected via Technology
| Category | Examples | Lawful Basis |
|---|---|---|
| Device and browser data | IP address, user agent, device type, OS, screen resolution | Legitimate interest (Art. 6(1)(f)) |
| Authentication data | Session tokens, CSRF tokens, login timestamps | Contract (Art. 6(1)(b)) |
| Offline sync data | Locally cached waiver data, sync timestamps, queue status | Contract (Art. 6(1)(b)) |
4. How We Use Your Data
- To operate the waiver management platform and store submitted waivers on behalf of Merchants
- To enable offline functionality and automatic data synchronization
- To process subscription payments via Stripe
- To send account notifications and system alerts via email
- To manage Merchant accounts, staff, forms, and business settings
- To generate analytics and reporting for Merchants
- To maintain security and prevent fraud
- To comply with legal and tax obligations
5. Offline Data Storage
FieldWaiver stores data locally on your device to enable offline functionality. This data is encrypted and synchronized with our servers when an internet connection is available. You can delete locally stored data by logging out or clearing browser data. Offline data is stored in browser IndexedDB and localStorage, and is protected by browser same-origin policies.
6. Data Retention Schedule
| Data Type | Retention | Justification |
|---|---|---|
| Merchant account data | Duration + 30 days post-closure | Contract |
| Waiver data | 7 years from submission date (or Merchant-specified retention period) | Legal obligation / Merchant requirements |
| Subscription/billing records | 6 years (HMRC requirement) | Legal obligation |
| Customer contact details | While Merchant account active, or until erasure requested | Contract / Legitimate interest |
| Offline cached data | Until synced and confirmed, or device logout | Contract |
| Auth sessions | 30 days (auto-expiry) | Security |
7. Data Storage, Security, and International Transfers
Infrastructure: Railway (EU region). Subscription payment processing: Stripe (PCI DSS Level 1 compliant).
- TLS 1.2+ encryption in transit; database encryption at rest
- Passwords hashed with bcrypt
- Multi-tenant data isolation with organisation-scoped queries
- Client-side encryption for offline data storage
- PCI DSS-compliant payment processing — we never store card numbers
- Rate limiting and brute-force protection
Stripe may transfer data internationally per their Privacy Policy and SCCs. For other transfers outside UK/EEA, we rely on SCCs, UK IDTA, and/or DPF adequacy decisions.
8. Sub-Processors
| Sub-Processor | Purpose | Location | Transfer Mechanism |
|---|---|---|---|
| Railway | Hosting, database | EU | EEA |
| Stripe | Subscription payment processing | US/EU | DPF + SCCs |
| Emailit | Email delivery | EU | SCCs |
14 days' notice before sub-processor changes. We do not sell personal data.
9. Your Rights
9.1 UK/EU Data Subject Rights (GDPR)
- Access (Art. 15): Obtain a copy of your personal data
- Rectification (Art. 16): Correct inaccurate data
- Erasure (Art. 17): Request deletion
- Restrict processing (Art. 18): Limit processing
- Data portability (Art. 20): Receive data in machine-readable format
- Object (Art. 21): Object to legitimate interest processing
- Withdraw consent: At any time, without affecting prior processing
- Lodge a complaint: ICO (ico.org.uk, 0303 123 1113) or your EU supervisory authority
9.2 California Residents (CCPA/CPRA)
If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) provides you with additional rights. We also comply with the California Online Privacy Protection Act (CalOPPA).
We do not sell your personal information. We do not share your personal information for cross-context behavioural advertising.
- Right to Know: You may request the categories and specific pieces of personal information we have collected about you in the past 12 months, the categories of sources, the business purpose for collection, and the categories of third parties with whom we share it.
- Right to Delete: You may request deletion of personal information we have collected from you, subject to certain exceptions (e.g., legal obligations, completing a transaction).
- Right to Correct: You may request correction of inaccurate personal information.
- Right to Opt-Out of Sale/Sharing: We do not sell your personal information. No opt-out is necessary.
- Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.
Categories of Personal Information Collected (Past 12 Months)
| CCPA Category | Examples | Collected |
|---|---|---|
| Identifiers | Name, email address, phone number, IP address | Yes |
| Internet/Network Activity | Browser type, device info, login timestamps | Yes |
| Commercial Information | Subscription records, waiver submission details | Yes |
| Financial Information | Stripe subscription IDs (no card numbers stored) | Yes |
| Professional/Employment Information | Business name, merchant role | Yes |
| Sensitive Personal Information | Emergency contact details (collected by Merchants via custom forms) | Yes (as processor) |
How to Exercise Your CCPA Rights
To make a verifiable consumer request, email [email protected] with the subject line "CCPA Request". We will verify your identity by matching information you provide against our records before fulfilling the request. You may also designate an authorised agent to make a request on your behalf, provided you supply written authorisation.
"Do Not Track" Signals
Our Service does not currently respond to "Do Not Track" (DNT) browser signals, as there is no universally accepted standard for how to respond to such signals. We do not track users across third-party websites and do not use advertising cookies.
9.3 How to Exercise
End Users: Contact the Merchant (business/organisation) first — they are the data controller for your waiver data.
Merchants/Staff: Contact [email protected]. Response: 1 month (GDPR) / 45 days (CCPA).
10. Automated Decision-Making
We do not engage in automated decision-making or profiling with legal effects.
11. Children's Data
The Service is not directed at children under 16. Merchants are responsible for ensuring parental/guardian consent where waivers involve minors. We do not knowingly collect children's data directly.
12. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will:
- Notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach, as required by Article 33 of the UK GDPR
- Notify affected Merchants (data controllers) without undue delay to enable them to fulfil their own notification obligations
- Where the breach is likely to result in a high risk to individuals, notify the affected data subjects directly without undue delay, as required by Article 34 of the UK GDPR
- Document all breaches, including those that do not require notification, in our internal breach register
Our breach notification will include: the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences of the breach, and the measures taken or proposed to address the breach and mitigate its effects.
13. Cookies
See our Cookie Policy.
14. Changes and Contact
Material changes notified via email and in-app notification.
Tom Watts, Director · TechTeamUp · [email protected] · techteamup.com