Privacy Policy (over 18)

The Pony Racing Authority Limited


We take your privacy very seriously. Please read this privacy policy carefully as it contains important information about who we are and how and why we collect, store, use and share your personal information. It also explains your rights in relation to your personal information and how to contact us or supervisory authorities in the event you need to make a complaint.

This privacy policy is divided into the following sections:

  1. Who we are
  2. What this privacy policy covers
  3. Our collection and use of your personal information
  4. Who we share your personal information with
  5. Transfer of your information out of the UK and EEA
  6. Cookies and similar technologies
  7. Marketing
  8. Your rights
  9. How long your personal information will be kept
  10. Keeping your personal information secure
  11. How to complain
  12. Changes to this website privacy policy

We are The Pony Racing Authority Limited, with registered office Cheltenham Racecourse, Prestbury Park, Cheltenham, Gloucestershire, GL50 4SH and company registration number 06124777 (“we”, “us”, “our”). For more information about how we are and what we do, you can visit the About Us page.

We collect, use and are responsible for certain personal information about you when you engage with our organisation. ‘Personal information’ (also referred to as ‘personal data’) means any information which can identify someone as an individual.


This privacy covers our collecting and processing of personal information relating to adults who engage with us, either through visiting our website, contacting us or if your child is participating with pony racing.

For information on how we process children’s personal information, please visit our children’s privacy policy [LINK] which specifically covers our processing activities relating to the personal information we collect about children participating in pony racing.

When we use your personal information, we do as a “controller” meaning we are responsible for that personal information and subject to data protection laws, including the UK General Protection Regulation (UK GDPR) and Data Protection Act 2018.

Please contact us at if you have any questions about this privacy policy or the information we hold about you.


Personal information we collect about you

We collect personal information about you when:

  • you access our website;
  • you sign up to become a member;
  • you log in and use our member portal;
  • you participate in our races or other events – this may be as a partner, guardian or supporter;
  • you act as our supplier – for example by providing products or services to us;
  • you sign up to receive our marketing materials;
  • you contact us, including sending us feedback and completing surveys;
  • you taking part in competitions we run from time to time;
  • you sponsor us; or
  • we conduct an investigation to ensure compliance with the PRA Safeguarding Regulations.

This information includes:

Identity Data name, marital status, title, gender, date of birth,
Contact Data address, email address and telephone numbers
Technical Data internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website
Profile Data your username, racing history, qualifications, and benefits and preferences linked to your membership account on our portal
Usage Data information about how you use our website and membership benefits, including survey responses
Employment data details relating to your employment and job status where it relates to the services we are providing or where we are collecting this information in order to verify your profile or conduct – specifically if you are a carer of a child that is participating in a pony race, we may collect this information from you in order to ensure the safety and wellbeing of the child
References and checks information obtained from carrying out identification checks, DBS check – specifically, we run appropriate checks on our suppliers who will be working with the children participating in pony racing with us, such as trainers
Marketing and Communications your preferences in receiving marketing from us or our third parties and your preference as to the communication methods.


We will not collect or process any special categories of personal data about you, unless it is required to ensure compliance with the PRA Safeguarding Regulations or other applicable laws. In the event that you provide us with any special categories of personal data we will ensure that we are permitted to process such data under the data protection law, such as ensuring that:

  • we have your explicit consent; or
  • the processing is necessary to protection your (or someone else’s) vital interests where you are physically or legally incapable of giving consent; or
  • the processing is necessary to establish, exercise or defend legal claims.

How we collect your personal information

We collect this personal information from you either directly, such as when you contact us or otherwise engage with us, or indirectly, such as your browsing activity while on our website (see “Cookies” below).

From time to time, we may also collect personal information about you from other sources such as your local pony club or another organisation that you or your child are members of where you or your child have signed up to the pony racing scheme run by us through that third party (for example, the Green House Project). In this case, the third party organisation will collect your personal data and provide us with the relevant information required for you to attend an event with us or for your child to participate in the scheme. We may still ask you for additional information above what is initially provided to us. The third party’s use of your information will be governed by their privacy policy.

Our legal basis

Under data protection law, we can only use your personal information if we have a legal basis for doing so. We have a legal basis where:

  • Consent: you have given us your consent for us to process your personal information for a specific purpose;
  • Contract: our use of your personal information is necessary in order to perform a contract we have with you, or because you have asked us to take specific steps before entering into a contract (such as providing you with members’ benefits);
  • Legal obligation: our use of your personal information is necessary for us to comply with the law; or
  • Legitimate interests: our use of your personal information is necessary for our legitimate interests or the legitimate interests of a third party (unless there is a good reason to protect your personal information which overrides our legitimate interests). This means we have a business or commercial reason for using your information. We make an assessment of using your information for our legitimate interest, to balance this against your interests as an individual.

How and why we use your personal data

How and why we collect and use your personal information depends on the reason we collect it. The table below sets out the ways in which we use your personal data and the legal basis which we rely on to do so.

What we use your personal information for (the purpose) Type of data Legal basis for processing (including basis of legitimate interest)
To onboard you as a new PRA member
  • Identity
  • Contact
  • Profile Data
Performance of a contract with you
To comply with our obligations under the applicable PRA Safeguarding Regulations and applicable regulatory obligations
  • Identity
  • Contact
  • References
  • Profile
Necessary to comply with a legal obligation
To provide membership benefits to you or your child who participates in one of our racing schemes, including:

(a) managing you or your child’s membership

(b) providing benefits to you or your child

(c) collecting membership fees owed to us

  • Identity
  • Contact
  • Financial
  • References
  • Marketing and Communications
(a) Performance of a contract with you

(b) Necessary for our legitimate interests (to recover debts due to us)

To manage our relationship with you which will include notifying you about changes to your membership benefits and rules, our terms or this privacy policy


  • Identity
  • Contact
  • Profile
  • Marketing and Communications
(a) Performance of a contract with you

(b) Necessary to comply with a legal obligation

(c) Necessary for our legitimate interests (to keep our records updated and to study how our members use the benefits provided to them)

To enable you to complete a survey or provide us with feedback
  • Identity
  • Contact
  • Profile
  • Usage
  • Marketing and Communications
(a) Necessary for our legitimate interests (to better understand how our members use their benefits or engage with us, to improve the quality of benefits we provide to our members and how we regulate the sports)
To administer and protect our operation and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)
  • Identity
  • Contact
  • Technical
  • Profile
  • Usage
(a) Necessary for our legitimate interests (for our operation, network security and to prevent fraud)

(b) Necessary to comply with a legal obligation

To deliver relevant website content and marketing materials to you and measure or understand the effectiveness of the marketing we send to you
  • Identity
  • Contact
  • Profile
  • Usage
  • Marketing and Communications
  • Technical
Necessary for our legitimate interests (to understand how visitors of our website use or engage with us, to improve the quality of our website and to provide relevant and updated content)
To use data analytics to improve our website, marketing, member relationships and experiences
  • Technical
  • Usage
Necessary for our legitimate interests (to keep our website updated and relevant, to inform our marketing strategy, to improve how we engage with our members)
To make suggestions and recommendations to you about our services that may be of interest to you
  • Identity
  • Contact
  • Technical
  • Usage
  • Profile
Necessary for our legitimate interests (to improve the quality of benefits we provide to our members and how we regulate the sports)
To maintain a suppression list of individuals who have opted-out of receiving marketing communications from us
  • Identity
  • Contact
  • Profile
Necessary for our legitimate interest (to ensure that we are not at risk of breaching data protection laws by communicating with you when you have asked us not to)


  1. Who we share your personal information with

We routinely share personal information with:

  • the British Horseracing Authority;
  • Racecourses and Point-to-Point organisers;
  • our affiliated racing schools, including British Racing School (Newmarket) and the National Horse Racing College;
  • social media sites such as Twitter, Instagram and Facebook but only where you have actively shared our website link to your social media profiles;
  • the Pony Club;
  • the Racing Foundation and Horse Race Betting Levy Board;
  • sponsors;
  • our payment service provider, Stripe (or such other provider as we may appoint from time to time);
  • third parties we use to help run our organisation, e.g. our website host, marketing agencies, back office functions.

We only allow our partners to handle your personal information if we are satisfied they take appropriate measures to protect your personal information and we have appropriate contractual terms in place with them for the processing of your personal information.

We may disclose and exchange information with law enforcement agencies and regulatory bodies to comply with our legal and regulatory obligations.

We may also need to share some personal information with other parties, such as during a purchase, transfer or corporate re-structuring of our organisation. Usually, information will be anonymised but this may not always be possible. The recipient of the information will be bound by confidentiality obligations.

  1. Transferring your personal information out of the UK and EEA

To deliver membership benefits to you, it is sometimes necessary for us to share your personal information outside the UK and/or European Economic Area (EEA), e.g. with our service providers located outside the UK/EEA.

These transfers are subject to special rules under European and UK data protection law.

Non-UK/EEA countries do not have the same data protection laws as the United Kingdom and EEA and we can only transfer your personal data to a country or international organisation outside United Kingdom or the European Union where:

  • the UK government or, where the EU GDPR applies, the European Commission has decided the particular country or international organisation provides an adequate level of protection of personal data (known as an ‘adequacy decision’);
  • there are appropriate safeguards in place, together with enforceable rights and effective legal remedies for you as the data subjects – for example, the standard contractual clauses or “model clauses”; or
  • a specific exception applies under data protection law.

The following countries benefit from an adequacy decision: all European Union countries, plus Iceland, Liechtenstein and Norway (collectively known as the ‘EEA’); Gibraltar; and Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay. This list may change from time to time. We will always seek to rely on an adequacy decision, where one exists.

Where other countries do not have the benefit of an adequacy decision, this does not necessarily mean they provide poor protection for personal data, but we must look at alternative grounds for transferring the personal data, such as ensuring appropriate safeguards are in place or relying on an exception.

Where there is no adequacy decision, we may transfer your personal data to another country or international organisation [(such as Stripe, Google or Mailchimp)] if we are satisfied the transfer complies with data protection law which is applicable in your country, appropriate safeguards are in place and enforceable rights and effective legal remedies are available for data subjects.

The safeguards will usually include using legally approved standard data protection contract clauses that are in accordance with the UK GDPR or EU GDPR (as applicable).

We will ensure the transfer complies with data protection law and all personal information will be secure. Our standard practice is to enter into model clauses with the relevant data importer.


  1. Cookies and other tracking technologies

A cookie is a small text file which is placed onto your device (e.g. computer, smartphone or other electronic device) when you use our website. We use cookies on our website. These help us recognise you and your device and store some information about your preferences or past actions.

For further information on cookies, our use of cookies, when we will request your consent before placing them and how to disable them, please see our Cookies Policy.

  1. Marketing

We may send you updates (by email, text message, telephone or post) about membership benefits or racing schemes, including promotions, new benefits or events that may be of interest to you. We have a legitimate interest in using your personal information in this way so we do not usually need your consent to send you such marketing information. However, where consent is needed, we will ask for this separately and clearly.

We will always treat your personal information with the utmost respect and will never sell it with other organisations for marketing purposes.

If you have given your consent to receive marketing communications, or it is in our legitimate interests to send them because you are not a consumer or you are a member that has previous obtained similar benefits from us, you always have the right to opt out of receiving further promotional communications by:

  • contacting us at; or
  • using the ‘unsubscribe’ link in emails.

We may ask you to confirm or update your marketing preferences if there are changes in the law, regulation, or the structure of our business.

  1. Your rights

You have the following rights, which you can exercise free of charge:

Access The right to be provided with a copy of your personal information (the right of access)
Rectification The right to require us to correct any mistakes in your personal information
To be forgotten The right to require us to delete your personal information—in certain situations
Restriction of processing The right to require us to restrict processing of your personal information—in certain circumstances, e.g. if you contest the accuracy of the data
Data portability The right to receive the personal information you provided to us, in a structured, commonly used and machine-readable format and/or transmit that data to a third party—in certain situations
To object The right to object:

—at any time to your personal information being processed for direct marketing (including profiling);

—in certain other situations to our continued processing of your personal information, e.g. processing carried out for the purpose of our legitimate interests.

Not to be subject to automated individual decision making The right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you


For further information on each of those rights, including the circumstances in which they apply, please contact us or see the Guidance from the UK Information Commissioner’s Office (ICO) on individuals’ rights.

If you would like to exercise any of those rights, please:

  • Email us — see contact details at the start of this policy;
  • let us have enough information to identify you g. your full name, address and membership number;
  • let us have proof of your identity (a copy of your driving licence or passport); and
  • let us know what right you want to exercise and the information to which your request relates.
  1. How long your personal information will be kept

We will not retain your personal information for longer than necessary for the purposes set out in this policy. Different retention periods apply for different types of personal information and in some circumstances, the law requires us to keep your personal information for a certain period (e.g. for accounting purposes).

If you are a PRA member or your child is participating in one of our pony racing schemes, we will keep your personal information until the later of: expiry or termination of your membership; or until your child turns 16 or the duration of your child’s participation in the scheme. Thereafter, we will keep your personal information for as long as is necessary:

  • to respond to any questions, complaints or claims made by you or on your behalf;
  • to show that we treated you fairly – including in respect of any defence or legal claims that may reasonably be expected within the applicable limitation periods; and
  • to keep records required by law.

When it is no longer necessary to retain your personal information, we will delete or anonymise it.

  1. Keeping your personal information secure

We have appropriate security measures to prevent personal information from being accidentally lost, or used or accessed unlawfully. We limit access to your personal information to those who have a genuine business need to access it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.

We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

  1. How to complain

We hope that we can resolve any query or concern you may raise about our use of your personal information. However, data protection laws also gives you right to lodge a complaint with a supervisory authority, in particular in the European Union (or European Economic Area) state where you work, normally live or where any alleged infringement of data protection laws occurred.

The supervisory authority in the UK is the Information Commissioner who may be contacted at or telephone: 0303 123 1113.

  1. Changes to this privacy policy

This privacy policy was last updated in November 2021. We keep our privacy policy under regular review to make sure it is up to date and accurate. If we make substantial changes to this privacy policy, we notify of such changes by email and will post the updated privacy policy here.