Privacy Policy
Effective date: 24 June 2026
1. Introduction
Global Climbing Standard Ltd ("GCS", "we", "us", "our") is committed to protecting your personal data and respecting your privacy. This Privacy Policy explains how we collect, use, store, and share personal data when you use our website at globalclimbingstandard.com, our mobile applications, and any related digital services (together, the "Platform").
This Policy is issued in accordance with the Gibraltar General Data Protection Regulation ("Gibraltar GDPR") and the Data Protection Act 2004 (as amended). It should be read alongside our Cookie Policy.
2. Who We Are: the Data Controller
The data controller responsible for your personal data is Global Climbing Standard Ltd, a limited company registered in Gibraltar, trading as Global Climbing Standard. Company number xxxxxx with registered address Suite 4.3.02, Eurotowers, Gibraltar, GX11 1AA.
For data protection queries, please contact us at hello@globalclimbingstandard.com.
3. What Personal Data We Collect
3.1 Data you provide directly
When you register or use the Platform, we may collect:
- Identity data: name, date of birth (for learners), username.
- Contact data: email address, telephone number.
- Account credentials: encrypted password.
- Profile data: profile photograph (optional), organisation name, role, qualifications.
- Climbing progression data: stage assessments, skill domain scores, session records, coach notes, awarded credentials.
- Communication data: messages or enquiries you send us.
- Payment data: where applicable, billing information processed via our payment provider (we do not store full payment card details).
3.2 Data collected automatically
When you visit the Platform, we automatically collect:
- Usage data: pages visited, features used, time and duration of visits, click-stream data.
- Technical data: IP address, browser type and version, device type, operating system, time zone.
- Cookie and similar tracking data: as described in our Cookie Policy.
3.3 Data received from third parties
We may receive data about you from:
- Climbing centres and coaches, who may register learner profiles on your behalf.
- Regional partners, who may set up accounts within their territory.
- Third-party app stores (Apple App Store, Google Play), limited to technical and transactional data.
4. Special Provisions for Children's Data
The Platform is designed, in part, for use by children as young as four years old (Early Years category). We take the protection of children's personal data very seriously.
4.1 Children under 13
A learner under the age of 13 may only be registered by a parent or legal guardian. By completing registration on behalf of a child, the parent or guardian:
- confirms they hold parental responsibility for the child;
- provides consent on the child's behalf for the processing of the child's personal data as described in this Policy;
- agrees to supervise the child's use of the Platform.
4.2 What data we hold for child learners
For child learners, we hold only the data necessary to operate the climbing progression service: the child's first name (and optionally last name or initial), date of birth (to place them in the correct age category), and climbing progress records. We do not require a child's email address or contact number.
4.3 Parental visibility and control
Parents and guardians have access to their child's full progress profile via the parent dashboard. Parents may request deletion of their child's account and associated data at any time in accordance with Section 10 of this Policy.
4.4 Safeguarding
We do not permit children to contact other users directly through the Platform. Coaches and centre staff interact with learner records for assessment purposes only and cannot initiate personal communications with children via the Platform.
5. How We Use Your Personal Data and Our Lawful Bases
We process personal data only where we have a lawful basis to do so under the Gibraltar GDPR. The table below sets out our purposes and the corresponding lawful basis.
| Purpose | Lawful basis |
|---|---|
| Provide, operate, and personalise the Platform | Performance of a contract (or pre-contractual steps); or Legitimate interests |
| Register and manage user accounts | Performance of a contract |
| Track and display learner progression through GCS stages | Performance of a contract; or Legitimate interests |
| Provide parents with real-time progress updates | Performance of a contract; Consent (where the learner is under 13) |
| Issue and verify GCS digital credentials | Performance of a contract; Legitimate interests (global portability of credentials) |
| Process payments and manage billing | Performance of a contract; Legal obligation |
| Send service-related communications (account confirmations, policy updates) | Performance of a contract; Legal obligation; Legitimate interests |
| Send marketing communications (from GCS or, where you have consented, from our selected partners) | Consent (opt-in only). You may withdraw consent at any time |
| Comply with legal obligations (tax, regulatory) | Legal obligation |
| Analyse and improve the Platform | Legitimate interests (provided these do not override your rights) |
| Detect, prevent, and investigate fraud and security incidents | Legitimate interests; Legal obligation |
Where we rely on legitimate interests, you have the right to object to that processing. Please see Section 10 for how to exercise this right.
6. Cookies and Electronic Tracking
We use cookies and similar technologies on the Platform. Cookies are only placed on your device with your prior, freely given, specific, and informed consent, except for strictly necessary cookies required for the Platform to function.
You can manage your cookie preferences at any time via the cookie settings link in the footer of our website. Withdrawing consent for non-essential cookies does not affect the lawfulness of processing based on consent before its withdrawal.
For full details of the cookies we use, their purpose, and how to manage them, please see our Cookie Policy.
7. Electronic Marketing
We will only send you marketing communications if you have opted in to receive them. Each marketing communication includes a clear and easy mechanism to opt out (unsubscribe). We do not send unsolicited marketing.
We will not share your contact details with third parties for their marketing purposes without your explicit consent. See Section 8.3 below for details of how we may share data with selected marketing partners where you have given that consent.
8. How We Share Your Personal Data
We do not sell your personal data. We share personal data only in the following circumstances:
8.1 Within the GCS ecosystem
Climbing centre staff and coaches at the centre where a learner is registered can access that learner's progress data to deliver the GCS programme. Regional partners can access aggregated and individual data for learners registered within their territory to the extent necessary to manage the programme.
8.2 Service providers (processors)
We use carefully selected third-party service providers who process data on our behalf, including:
- Cloud hosting and infrastructure providers;
- Payment processing providers;
- Email delivery services;
- Analytics providers (on a privacy-respecting, consent-based basis).
All service providers are bound by data processing agreements that require them to process data only on our instructions and in accordance with the Gibraltar GDPR.
8.3 Selected marketing partners
With your explicit consent, we may share your contact details (name and email address) with carefully selected third-party partners so that they may send you marketing communications about products and services that may be of interest to you. We will only do this where you have actively opted in.
You may withdraw this consent at any time by contacting us or by using the unsubscribe link in any partner communication. Withdrawing consent does not affect the lawfulness of sharing that took place before withdrawal.
We do not share children's personal data with marketing partners under any circumstances.
8.4 Legal requirements
We may disclose personal data to regulatory authorities, law enforcement bodies, or courts where required to do so by applicable law, or to protect the vital interests of any individual.
8.5 Business transfers
If GCS undergoes a merger, acquisition, or sale of assets, personal data may be transferred to the successor entity, subject to the same protections as described in this Policy. We will notify affected users in advance.
9. International Data Transfers
GCS operates a global platform across 100+ territories. Your personal data may be transferred to and processed in countries outside Gibraltar and the UK.
Where we transfer data to countries that do not provide an equivalent level of data protection to Gibraltar, we ensure appropriate safeguards are in place, which may include:
- Standard Contractual Clauses (SCCs) approved by the relevant supervisory authority;
- Transfers to countries covered by a UK adequacy decision;
- Binding Corporate Rules, where applicable.
You may request details of the specific safeguards in place for any particular transfer by contacting us at the address in Section 2.
10. Your Data Subject Rights
Under the Gibraltar GDPR and the Data Protection Act 2004, you have the following rights in relation to your personal data. You (or, in the case of a child under 13, their parent or guardian) may exercise these rights by contacting us as set out in Section 2. We will respond within one month of receiving your request.
- Right of access: You may request a copy of the personal data we hold about you and information about how it is used.
- Right to rectification: You may ask us to correct inaccurate or incomplete personal data.
- Right to erasure ("right to be forgotten"): You may ask us to delete your personal data where it is no longer necessary for the purpose for which it was collected, where you have withdrawn consent, or where the processing was unlawful.
- Right to restriction: You may ask us to pause processing of your data in certain circumstances (for example, while you contest its accuracy).
- Right to data portability: Where processing is based on consent or contract and carried out by automated means, you may request a machine-readable copy of your data.
- Right to object: You may object to processing based on legitimate interests or carried out for direct marketing purposes.
- Rights related to automated decision-making: You have the right not to be subject to a decision based solely on automated processing that produces significant legal or similar effects. We do not currently use such automated decision-making.
We may need to verify your identity before processing your request. We will not charge a fee in the first instance. If requests are manifestly unfounded or excessive, we may charge a reasonable fee or refuse to act.
11. Data Retention
We retain personal data for no longer than is necessary for the purposes set out in this Policy or as required by law. Our general retention periods are:
- Active learner accounts: retained while the account remains active plus a period of 3 years following last activity, to maintain the integrity of credentials.
- Inactive accounts: we will contact you before deleting accounts inactive for 3 years and give you an opportunity to reactivate.
- Financial and transaction records: 7 years, in accordance with Gibraltar tax and accounting requirements.
- Communications and support records: 2 years from the date of the last communication.
Where you request deletion of your account, we will delete or anonymise your personal data within 30 days, subject to any overriding legal obligation to retain it.
12. Data Security
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, destruction, or alteration. These include encryption in transit (TLS) and at rest, access controls, regular security assessments, and staff training.
Notwithstanding these measures, no transmission over the internet is completely secure. We cannot guarantee absolute security, but we will notify you and the Gibraltar Regulatory Authority of any breach that is likely to affect your rights, in accordance with our legal obligations.
13. Data Breaches
If we become aware of a personal data breach that poses a risk to your rights and freedoms, we will notify the Gibraltar Regulatory Authority (GRA) within 72 hours of discovery in accordance with Article 33 of the Gibraltar GDPR. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay.
14. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email and/or a prominent notice on the Platform before the changes take effect. The effective date at the top of this page indicates when the Policy was last revised.
15. How to Complain
If you have concerns about how we process your personal data, please contact us in the first instance and we will do our best to resolve the issue.
You also have the right to lodge a complaint with the Gibraltar Regulatory Authority (GRA), which is the supervisory authority for data protection in Gibraltar:
Gibraltar Regulatory Authority
2nd Floor, Eurotowers 4
1 Europort Road
Gibraltar GX11 1AA
Email: privacy@gra.gi
Website: www.gra.gi
You may also have the right to complain to the data protection supervisory authority in the country where you live or work.