NORTH COTTESLOE SLSC
TAF Hub
Privacy Notice
How we collect, use, and protect your personal information. Governed by the Privacy Act 1988 (Cth) and the Australian Privacy Principles.
For Trainers, Assessors & Facilitators at hub.ncslsc.com

What is the TAF Hub?

The TAF Hub is a closed internal roster tool for North Cottesloe SLSC's ~45 Trainers, Assessors, and Facilitators (TAF) and ~5 admin users. It is used to sign up for teaching sessions, confirm attendance, and generate patrol-hours reports for Surfguard. It is not a public website and is not accessible to members of the public, award candidates, or unprovisioned club members.

Access is granted by the Chair of Education — you must be invited before you can sign in.

This notice supplements the NCSLSC Privacy Policy, which governs all personal information held by the club. Both documents apply to your use of the Hub. Where this notice is more specific, it takes precedence for Hub data. The Hub has no access to other NCSLSC club records, including sensitive information (health, disability, indigenous status) held by the club.

How you sign in

Enter your email address. The Hub sends a magic link — a one-time sign-in link — to that address. Click it to sign in. No password required. On your own device you stay signed in for 12 months without re-entering your email.

A signed device token (cookie) is placed on your device on sign-in. It contains only a random device identifier — not your name, email, or any personal details in readable form. If you sign in on a new device, you receive an email notification as a security alert. To sign out, use Profile → Sign out.

Google or Apple sign-in is also available as an alternative — activated when the Hub moves to hub.ncslsc.com. If you use this option, Google or Apple verifies your identity and shares your email address with the Hub. Their own privacy policies govern that part of the sign-in process.

How your data is protected
Encrypted in transit All communication between your device and the Hub uses HTTPS — the same encryption as online banking.
No passwords stored Sign-in links are one-time use and expire after 10 minutes. There is no password to steal.
Stored in Australia Your data is held on servers in Sydney. Email delivery uses a US-based service for transit only.
Every change is logged The Hub keeps an audit log of every action — who did it and when — reviewed if a dispute arises.
Access-controlled database Database rules mean each user can only read and write their own data — your records are not accessible to other TAFs.
Independent pre-launch audit Before going live at hub.ncslsc.com, the Hub will undergo a formal security and privacy audit by an independent external reviewer.

Personal information we hold

DataWhy we hold it
Full name + preferred nameIdentify TAFs on the session board. Other TAFs see preferred name only.
Email addressIdentity anchor, magic-link sign-in, booking confirmations, reminders.
Mobile number (optional)Direct contact by admins only — not used for sign-in, not shown to other TAFs.
Surfguard Member IDLinks your Hub records to Surfguard for patrol-hours export. Admin-only — never disclosed TAF-to-TAF.
Qualifications + currency datesDetermines which sessions you are eligible to teach.
Sign-up, role, position, pay statusCore roster function — drives the sign-up board and Surfguard reports.
Attendance (confirmed, actual times, confirmer, source)Attendance record used for Surfguard patrol-hours export.
Calendar feed tokenAuthorises your personal iCal subscription feed. Regenerable on request.
Reminder & notification preferencesControls which email categories you receive and when (opt-in).
Web push subscription (if opted in)Delivers in-app push notifications for waitlist promotions and slot events.
Waitlist / interest requestsTracks your place in a waitlist or expression of interest for a paid role.
Device token hash + browser typePowers trusted-device sign-in; triggers new-device alert emails.
Action log (email hash, action, timestamp)Security audit log — reviewed only if a dispute or incident arises.

What we do not collect & who can see your information

No candidate data
No payment information
No location data
No tracking or analytics
No advertising or data sale
WhoWhat they can see
Other TAFsPer-session roster: preferred name, role code, and pay status of TAFs signed up to the same session. Contact details are not visible to other TAFs.
Admin users — Chair of Education + Head Trainers (~5 people)Full roster entry, sign-up history, audit log entries. All admin actions are themselves audit-logged.
Chair of EducationFull access, including the audit log and the ability to onboard, edit, and offboard members.
Surfguard systemsThe Hub exports patrol-hours data in Surfguard Patrol Log format on request only. Data is not pushed automatically.
Third-party processorsResend (email delivery — receives recipient email + content; subject to Resend's privacy policy and data processing agreement); Cloudflare (host — no data persisted); Supabase (database, Sydney AU); Google or Apple (only if you use OAuth sign-in — receives your email + profile name at sign-in; their own privacy policies apply).

How long we keep your information

DataRetention
Trainer Roster entryWhile active. Marked inactive when you cease; removed after one further season.
Teaching slots + attendance recordsRetained as long as required for: Surfguard patrol-hours reconciliation (the Hub is the source record for hours exported to SLSWA); dispute resolution; and club governance (training delivery history). Consistent with the club's standard 7-year policy for operational records. Contact the Chair of Education if you have concerns about a specific record.
Audit log24 months rolling; older entries purged automatically.
Authentication cookieExpires after 12 months, or when you sign out.
Web push subscriptionUntil you revoke permission in your browser settings or via Profile → Notifications.

Your data is stored in Australia (Sydney). Email delivery via Resend transits the US but is not stored there.

Your rights
What you can do
  • Access your data — request a copy of everything we hold about you. We will respond within 30 days.
  • Correct your data — if your name, email, qualifications, or role are wrong, contact the Chair of Education. We will respond within 30 days.
  • Unsubscribe from non-transactional email — use the unsubscribe link in any reminder or alert email, or go to Profile → Notifications. Transactional mail (magic links, booking confirmations) cannot be suppressed while your account is active.
  • Revoke your calendar feed — go to Profile → Calendar sync → Regenerate. This immediately invalidates the old URL.
  • Withdraw web push consent — via Profile → Notifications, or your device browser settings.
  • Request deletion — on ceasing as an active TAF your record is marked inactive. Full deletion is available on request; audit log entries referencing your actions may be retained for their standard 24-month period. You can also use Profile → Leave Hub if you have no upcoming committed sessions. If you have upcoming commitments and still wish to leave, contact the Chair of Education directly — they can process the request manually. We will respond within 30 days.
  • Be notified of a data breach — the Hub is subject to Australia's Notifiable Data Breaches (NDB) scheme. If an eligible breach involving your information occurs, you will be notified by the Chair of Education and, where required, the Office of the Australian Information Commissioner (OAIC) will also be notified.
  • Complain to the OAIC — if your privacy concern is not resolved to your satisfaction by the Chair of Education or the MPIO, you have the right to lodge a complaint with the Office of the Australian Information Commissioner at oaic.gov.au under the Privacy Act 1988.

Hub privacy queries and requests: education@ncslsc.com — Chair of Education, NCSLSC. We will respond within 30 days.

Formal privacy complaints must be directed to the NCSLSC General Manager at enquiries@ncslsc.com or 08 9284 2626, consistent with the NCSLSC Privacy Policy.

If your complaint is not resolved to your satisfaction, contact the NCSLSC Member Protection Information Officer at mpio@ncslsc.com, or escalate to the OAIC at oaic.gov.au.