DynoDyno
Log inStart free

Privacy Policy

Last updated 10 May 2026

This Privacy Policy explains how Covert Digital Ltd ("we", "us", "our"), trading as Dyno, collects and processes personal data when you use the Dyno platform — including the website at dyno-app.com, the Dyno mobile apps for iOS and Android, and the club-owner dashboard at dashboard.dyno-app.com (together, the "Service").

We are the controller of the personal data described in this policy. If you have questions or want to exercise your rights, contact us at support@dyno-app.com.

1. Who we are

Dyno is a club management platform. Clubs use it to run memberships, events, payments, bookings and messaging. Members use it to join clubs, pay subscriptions, book sessions, and communicate with their club. We are based in the United Kingdom and the Service is provided to clubs and members worldwide.

2. The personal data we collect

2.1 Account data

When you create an account we collect: name, email address, phone number (optional), date of birth (optional), profile photo (optional), and a password (stored hashed). For club owners and staff, we additionally collect role assignments and team membership records.

2.2 Club data

If you create or administer a club, we collect: club name, contact email, phone, address, location coordinates, branding assets (logos, images), and any content you publish (events, memberships, posts, chat messages).

2.3 Payment data

Payments are processed by Stripe using Stripe Connect. We do not see or store your card details. Stripe shares limited transaction metadata with us (amounts, status, currency, the last four digits and brand of the card, country) so we can show you a payment history and manage subscriptions. See Stripe's Privacy Policy for how Stripe handles card data.

2.4 Waiver and consent records

When you sign a club waiver, we record: your typed name, the date and time of signing, your IP address and user agent, the version of the document signed, and a SHA-256 hash of that document. This record is required by clubs as proof of consent for participation and is kept as set out in section 7 below.

2.5 Device and usage data

When you use the Service we automatically collect: IP address, browser type, operating system, device identifiers, push-notification tokens (mobile only) and interaction logs (pages visited, actions taken, error events). We use this for operating the Service, security, and improving features.

2.6 Location data

If you grant location permission on the mobile app or web app, we use your location to show clubs and events near you, and to let club owners drop a precise pin when setting their club address. Location is not stored historically beyond the latest position you choose to share.

2.7 Content you create

Posts, chat messages, comments, photos, and other content you upload are stored so the Service can show them to other members of your club. You retain ownership of your content (see our Terms of Service).

3. How we use your data

We use personal data to:

  • Provide the Service: authenticate you, deliver features, and let you communicate with your club;
  • Process payments and prevent fraud (via Stripe);
  • Send transactional emails (booking confirmations, payment receipts, password resets);
  • Send service announcements where legally permitted;
  • Comply with legal obligations (tax, anti-money-laundering, lawful requests);
  • Investigate abuse, enforce our Terms, and keep the Service secure;
  • Improve the Service through aggregated, non-identifying analytics.

4. Lawful bases (UK GDPR)

  • Contract: processing your account, club, payment and content data is necessary to deliver the Service you signed up for.
  • Legitimate interests: security, fraud prevention, service improvement and product analytics. We have balanced these against your rights and only process data where the impact on you is proportionate.
  • Legal obligation: retaining financial records for HMRC, responding to lawful requests, GDPR record-keeping.
  • Consent: marketing communications, optional photo/avatar uploads, location access, and push-notification permissions. You can withdraw consent at any time.

5. Who we share data with

We share personal data only with the following categories of recipient, and only to the extent needed for them to perform their role:

  • Your club: if you join a club, your name, profile data, membership status and waiver signatures are visible to that club's staff.
  • Stripe (payments processor and platform sub-processor) — UK / EU / US.
  • Amazon Web Services (S3 + CloudFront for media storage and database hosting) — eu-west-2 (London).
  • Resend (transactional email delivery) — US-based, Standard Contractual Clauses in place.
  • Firebase Cloud Messaging (push notifications, mobile only) — US-based, SCCs in place.
  • Sentry (error monitoring) — US-based, SCCs in place. Error reports may include user IDs and request paths but never plaintext PII payloads.
  • Legal authorities where compelled by law (court order, valid subpoena).
  • A potential buyer in the event of a merger, acquisition or sale of all or part of our business — under appropriate confidentiality and continuity-of-policy arrangements.

We do not sell your personal data, and we do not share it with advertisers.

6. International transfers

Some of our sub-processors are located outside the UK and EEA. Where this is the case we rely on the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or an adequacy decision, as appropriate.

7. Retention

We keep personal data for the periods set out below.

  • Account data — for as long as your account exists. On account deletion (see section 9), identifying fields are scrubbed.
  • Financial records (payments, subscriptions, refunds) — retained for 6 years from the end of the relevant tax year, as required by HMRC.
  • Waiver signatures — retained while the club requires proof of consent for participation, typically for the limitation period of any related legal claim (commonly up to 6 years, or longer for claims involving minors).
  • Chat messages and posts — kept while your account is active and deleted on account deletion.
  • Server logs — typically 30 days, longer for security incidents.
  • Backups — overwritten on a rolling basis, normally within 35 days.

Where we're required to retain a record (financial or legal), we may keep it even if you ask us to delete your account — but we will pseudonymise or anonymise it so it cannot be linked to you in day-to-day operations.

8. Children's data and minimum age

8.1 Minimum age: 13

The minimum age to hold a Dyno account is 13. We do not knowingly permit anyone under 13 to register. The signup flow asks for a date of birth and rejects registrations that don't meet the minimum age.

If we discover an account that has been registered to a child under 13, we will close it. If you believe such an account exists, contact us at support@dyno-app.com.

8.2 Teen accounts (ages 13–15)

Members aged 13–15 are placed on a Teen account by default. Teen accounts have stricter privacy defaults than adult accounts:

  • Direct messages are limited — teens can only message staff of clubs they belong to (owners, admins, managers, coaches), not other members.
  • Profile visibility is restricted to staff and members of clubs the teen has joined. Teen accounts do not appear in cross-club member discovery.
  • Posts and feed activity are scoped to clubs the teen has joined. Teens cannot post into clubs they are not a member of, and their posts are not surfaced in any cross-club discovery feed.
  • Marketing emails are off by default. Transactional emails (booking confirmations, payment receipts) follow the parent/guardian email on file.

For members aged 13–15 we expect a parent or guardian to be involved in onboarding. The club a teen joins is responsible for confirming parental awareness and (where required) parental consent for waivers and payments.

8.3 Members under 13

Children under 13 cannot have a Dyno account in their own name. Where a child under 13 is a member of a club that uses Dyno, the parent or guardian must manage the relationship through the parent's own Dyno account. The parent or guardian:

  • uses their own email address as the account email;
  • signs any waivers and provides any consents on the child's behalf;
  • is responsible for all activity that takes place under the account;
  • is the sole point of contact for transactional emails, billing and notifications.

8.4 Club responsibilities

Clubs that onboard members under 16 are responsible for confirming that registrations are appropriate (a teen registering directly is on a Teen account; a child under 13 is on a parent-managed account). Clubs are also responsible for collecting parental consent where required by their local rules or insurer.

9. Your rights

Under UK GDPR you have the right to:

  • access the personal data we hold about you;
  • have inaccurate data corrected;
  • request deletion of your account and associated personal data;
  • restrict or object to certain processing;
  • portability — receive a copy of your data in a structured, machine-readable format;
  • withdraw consent at any time where processing is based on consent;
  • lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

You can exercise most of these rights inside the app (Settings → Account) or by emailing support@dyno-app.com. We respond within 30 days.

When you delete your account, we anonymise your identifying fields immediately and hard-delete content like posts, comments and chat messages. Financial records and waiver signatures are retained as set out in section 7 but are no longer linked to you in our day-to-day systems. Stripe customer records are deleted from Stripe at the same time, which detaches stored payment methods.

10. Cookies and similar technologies

The Service uses a small number of strictly-necessary cookies and local-storage items to keep you logged in and remember your preferences. We do not use third-party advertising or tracking cookies. If we add analytics cookies in the future, we will surface a consent banner first.

11. Security

We protect your data with TLS in transit, encrypted storage at rest, password hashing, role-based access control, audit logging on sensitive actions (admin deletions, license changes), and least-privilege engineering practices. No system is impenetrable; if a breach affects your data we will notify you and the ICO within 72 hours of discovery, where required.

12. Changes to this policy

We may update this policy from time to time. The date at the top of this page shows when it was last revised. For material changes (new sub-processors, significant new uses of data) we will notify you by email and/or a prominent in-app notice before the change takes effect.

13. Contact us

Covert Digital Ltd, trading as Dyno, United Kingdom.
For all data-protection enquiries, including access, correction and deletion requests, email support@dyno-app.com.