1. Who we are

We are Enduro Sports Organisation Limited, registered in Scotland with company number SC437697 whose registered office is at 60 High Street, Innerleithen, Scotland, EH44 6HF and we are the data controller of the personal information that we collect from you.

Our EU Representative is Discovery Communications Benelux B.V. whose registered office is at Kraanspoor 20, 1033 SE, Amsterdam, Netherlands.

ESO is part of the Play Sports Group of companies (incorporating the separate legal entities Play Sports Network Limited, Play Sports Group Limited and Enduro Sports Organisation Limited). As of January 2019, the Play Sports Group of companies are subsidiaries of Discovery, Inc. Accordingly, where we refer to our holding companies and our wider group of companies within this privacy policy, this includes Discovery, Inc. and its subsidiaries.

2. Children

As of June 2021, we launched a series of races called EWS Kids which is open to riders aged between 2 and 16.

Outside of our EWS Kids series, we do not and will not knowingly collect information from any unsupervised child under the age of 13 (or the relevant age for giving valid consent in your jurisdiction, if different). Our Services are not directed at children and we do not knowingly collect any personal information from children.

3. The personal information we collect about you

Information from your online interactions

We collect the following information from your interaction with the Services:

• how you access our Services and the devices that you use to access our Services. This includes collecting unique online identifiers such as IP address and your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access the Services;
• information about how you use the Services, including but not limited to sign-in and sign-out (where applicable), site visits, reporting of errors you may encounter in the Services, browsing information and patterns, your video consumption and playback as well as cookies, server logs and other similar technologies, and we may also receive technical data about you if you visit other websites employing our cookies or other tracking technologies. Please see our cookie policy for further information;
• information about how you engage with our online marketing; including information about whether our marketing is delivered to you and how you interact with it; and
• any e-mail or other communications, including attachments, which you send to us through or in relation to the Services.

Information that you share with us

This includes personal information you submit to us through data entry fields required as part of your use of a Service including, without limitation, when you:

• purchase, access, subscribe to or download our products or services (including signing up to our EWS portal or a retail / event purchase);
• submit content including photos, comments, videos and other materials that you upload, submit or share via the Services ("User Content");
• create an account in order to use one or more of our Services;
• enter or attend a race organised by us either as a participant, race team member, media attendee or general spectator;
• apply for a job with us (including through any third-party recruitment platform we may use from time to time);
• request marketing or newsletters to be sent to you;
• enter a competition, prize giveaway, promotion, quiz or survey;
• provide us with feedback.

When you submit personal information to us through any of the above Services, we may collect the following information from you:

• your name;
• your e-mail address;
• your physical address;
• your phone number;
• your gender;
• you date of birth;
• your nationality;
• any email or other communications, including attachments, which you send to us;
• where you are purchasing services from us, your payment information including cardholder name billing address; bank account and payment card details and information about the transactions such as the products or services purchased;
• where you are providing services to us, your payment information, insurance details, professional licences, certificates and qualifications
• your Facebook, Apple or Google login, where you use a Facebook, Apple or Google login to create or sign in to an account with us; and
• profile data including your username and password for registering an account, purchases or orders made by you, your interests and preferences, such as your marketing preferences, and survey responses or feedback provided by you.

Third parties or publicly available sources

We may receive personal information about you from various third parties as set out below:

• technical data from the following parties:
  • analytics providers such as Google based inside and outside the EU;
  • advertising networks based inside and outside the EU;
  • data management platform providers based inside and outside the EU; and
  • search information providers based inside and outside the EU.
• if you log into the Services through a third-party social media account such as Facebook, we will collect certain Information relating to your account with those social media platforms including your name, profile image, age group, gender and other information available on your public profile. You can manage the data which is shared by social media platforms with us by amending your preferences through using the privacy settings which these third parties provide on their platforms.

For further information about how each of these parties collect and use your data, please see the 'Third-Party advertising companies' section below;

• identity and contact data from data brokers, aggregators and publicly available sources;
• contact, financial and transaction data from providers of technical, payment and delivery services; and
• third parties that provide certain services to us within the Services, for example, facilitating and administering customer feedback forms and newsletter subscriptions, payment providers and third parties providing recruitment, booking and other services to us.

We do not collect any Special Categories of Personal Data about you (which includes details about race or ethnicity, religious or philosophical beliefs, political opinions etc).

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

5. How we share your personal information and who we share it with

Sharing of personal information across Services

In order to access or interact with some of the Services we offer, you are required to register for an account. You will be able to access or interact with multiple different Services via this account (for example you may purchase an item from an online store and interact with the EWS Portal. You agree to ESO sharing your personal information submitted to an account across the various Services you may access or interact with through that account. This helps us to build a better profile of your account and make the content you see more relevant to you.

Sharing of personal information with others

Additionally, we disclose information under the following circumstances:

• Third-party companies: When we share information with third-party service companies to facilitate or to provide certain services on our behalf. This will include:
• IT infrastructure companies that facilitate our provision of the Services to you such as providers of our platform (including for example Amazon Web Services and Google Cloud Platform);
• Third parties who provide first level customer support and subscription management services on our behalf. In some cases you may be required to sign up for an account operated by a third party in order to access or use a Service, in which case you should check such third party’s privacy and cookie policies prior to doing so;
• IT support service providers;
• Payment service providers (if you pay to subscribe to our Services) who will process your subscription payments on our behalf;
• Third parties who facilitate delivery and management of orders or subscriptions (currently including Green Snow Limited (order processing), Realtime Despatch Software Limited (warehouse management) and SPORTident GmbH (event timing) . We are careful to ensure that any personal information processed by these providers is limited insofar as possible and that appropriate security measures are in place to ensure the safety of your information. For further details, please refer to the terms and conditions for our shop sites (as applicable), available at https://shop.enduroworldseries.com/pages/terms-conditions,
• Third party organisations to process and display customer reviews of products purchased through our websites, which third party may be provided with order details including your name, email address and details of the products you have purchased, to enable them to contact you to ask for a review and for no other reason. You are not under any obligation to provide a review, but we're grateful for your feedback!;
• For purchases of tickets to events and festivals we operate from time to time, we may appoint third party organisations who will process your payment and / or booking information;
• Third parties who may provide you with a prize where you enter a promotional giveaway (where this is stated in the terms and conditions for any particular giveaway); and
• Other third-party service providers, for the purpose of providing or tracking our customers' use of the Services (which may include organisations providing remarketing services such as Google, Criteo, and Facebook), providing recruitment platform services and booking platform services to us.

These companies are authorised to use your personal information only as necessary to provide these Services to us and in accordance with our instructions.

• Group companies: We may provide your personal information to our subsidiaries or affiliated companies for the purpose of processing personal information on our behalf to provide the Services to you, including sending you information about products and services that may be of interest to you in accordance with this Privacy Policy, and the provision of customer services or subscription management. These parties are required to process such information based on our instructions and in accordance with this privacy policy. They do not have any independent right to share this information.
• Compliance with laws and legal proceedings: When we respond to court orders, or legal process, or to establish or exercise our legal rights or defend against legal claims. When we believe in our sole discretion it is necessary to share information in order to investigate, prevent or take actions against illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of the terms of use which relate to the Service in question, or as otherwise required by law.
• Merger or acquisition: When we need to transfer information about you if we are acquired by or merged with another company. If we are involved in a merger, acquisition, or sale of all or a portion of its assets, you will be notified afterwards via e-mail and/or a prominent notice on our Services of any change in ownership or uses of your personal information, as well as any choices you may have regarding your personal information.
• Sharing your User Content. Any User Content which you voluntarily disclose on the Services will become visible to other users of the Services.

6. International transfers

If you are located in the EU or the United Kingdom (“UK”) then we may transfer personal information that we collect from you to third party data processors located in countries that are outside of the European Economic Area ("EEA") and/or the UK (including to the United States) or to members of our group of companies in connection with the above purposes. Please be aware that countries which are outside the EEA and the UK may not offer the same level of data protection as the EEA and the UK, although our collection, storage and use of your personal information will continue to be governed by this privacy policy.

When transferring personal information outside the EEA and the UK, we will:

• include the standard contractual data protection clauses approved by the European Commission or the UK Government (as applicable) for transferring personal information outside the EEA and UK into our contracts with those third parties (these are the clauses approved under Article 46.2 of the General Data Protection Regulation ("GDPR") and the UK version of it); or
• ensure that the country in which your personal information will be handled has been deemed "adequate" by the European Commission under Article 45 of the GDPR.

You can find out further information about the rules on data transfers outside the EEA and the UK, including the mechanisms that we rely upon, on the European Commission website here and on the Information Commissioner's Office website here.

7. Cookies and similar technologies

Technologies such as cookies, beacons, tags, scripts and SDKs are used by us and our partners, affiliates, or analytics or service providers. These technologies are used in analysing trends, administering the Services, tracking users’ movements around the Services and to gather demographic information about our user base as a whole. We receive reports based on the use of these technologies by these companies on an individual as well as aggregated basis.

We use cookies, for example, to remember users’ settings (e.g. language preference) and for authentication. Users can control the use of cookies at any time through our Cookie Preference Centre at individual browser level and, in some cases, the settings on your mobile device. Users can control the use of cookies at the individual browser level. If you reject cookies, you may still use our Services, but your ability to use some features or areas of our Services may be limited.

Please read more about how we use cookies and other tracking technologies and what information is collected using cookies in our Cookie Policy.

8. Security

We have put in place appropriate security measures to protect your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

Whilst we take appropriate technical and organisational measures to safeguard the personal information that you provide to us, no transmission over the Internet can ever be guaranteed secure. Consequently, please note that we cannot guarantee the security of any personal information that you transfer over the Internet to us.

9. Data Retention

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. By law we may have to keep certain basic information about our customers for six years after they cease being customers for tax or other compliance purposes.

In some circumstances, we may anonymise your personal information (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.

10. Your rights

You have certain rights in relation to your personal information. If you would like further information in relation to these or would like to exercise any of them, please contact our DPO at [email protected].

You have the right to request that we:

• provide access to any personal information we hold about you;
• update any of your personal information which is out of date or incorrect;
• delete any personal information which we are holding about you;
• restrict the way that we process your personal information;
• prevent the processing of your personal information for direct-marketing purposes;
• provide your personal information to a third party provider of services;
• provide you with a copy of any personal information which we hold about you; or
• consider any valid objections which you have to our use of your personal information.

If you are a French resident then you have the right to provide us with instructions on the management (e.g., retention, erasure and disclosure) of your personal information after your death. You can change or revoke your instructions at any time.

We will consider all such requests and provide our response within a reasonable period (and in any event within any time period required by applicable law). Please note, however, that certain personal information may be exempt from such requests in certain circumstances.

If an exception applies, we will tell you this when responding to your request. We may request you provide us with information necessary to confirm your identity before responding to any request you make.

If we delete any personal information which are holding about you, this deletion may only relate to the Services and not any other service provided by us in other jurisdictions. You should make requests for each account that you may have set up to access the Services or any other service provided by us.

11. Marketing

Like many organisations, we may target banners and ads to you when you are on other websites and apps. We do this using a variety of digital marketing networks and ad exchanges, and we use a range of advertising technologies like web beacons, pixels, ad tags, cookies, and mobile identifiers, as well as email and platform specific services offered by some sites and social networks, (for example Facebook’s Custom Audience service).

The banners and ads you see will be based on information we hold about you, or your previous use of our Services (for example, your search history whilst using one of our websites or the content you view whilst on our Services) or on our banners or ads you have previously clicked on.

We may also use services such as those provided by MailChimp in order to contact you about items you have looked at or placed in a shopping cart on any of our shop sites, if you do not proceed to complete a purchase. MailChimp and other such providers employ the use of cookies, unique identifiers, web beacons and similar tracking technologies to keep tabs on things like open rates and conversion rates.

We will collect and use your personal information for undertaking marketing by email.

We will send you certain marketing communications (including electronic marketing communications) if we have your consent to do so for marketing and business development purposes.

However, we will always obtain your consent to direct marketing communications where we are required to do so by law and if we intend to disclose your personal information to any third party for such marketing. If you wish to stop receiving marketing communications, you can click on the easy to use unsubscribe link in any marketing email from us, change your preferences in your account settings or contact us by email at [email protected].

12. Third party links, sites and service providers

The Services contains links and pages to other websites operated by third parties. Please note that this privacy policy applies only to the personal information that we collect through the Services and we cannot be responsible for personal information that third parties may collect, store and use through their website. You should always read the privacy policy of each website you visit carefully.

Where you provide data to a third party such as those outlined above, generally your sharing of data will be governed by the privacy terms of that third party, and unless otherwise stated we are not responsible for such sharing or for any additional personal information you may decide to provide to such third parties. You are strongly advised to read any relevant third party's privacy and cookie policies prior to any such sharing of data.

13. Changes to this privacy policy

This privacy policy was last updated on 9 May 2022.

Please check back regularly to keep informed of updates to this privacy policy. Where we make significant changes to this privacy policy, and we have your e-mail address, we will send you notification of the changes.

14. Complaints, questions and suggestions

We have a Data Privacy Manager that can assist with all queries regarding our processing of personal information. Our Data Privacy Manager can be contacted by e-mailing [email protected].

In the EEA, you may also make a complaint to our supervisory body for data protection matters (the Information Commissioner's Office in the UK) or seek a remedy through local courts if you believe your rights have been breached.

You have the right to lodge a complaint with local data protection authorities in the EEA if you believe we have not complied with applicable data protection laws. The local authority differs depending on the country. Please contact us in the first instance before exercising your right to make a complaint to any supervisory authority for data protection issues; we will do our best to resolve any concerns you may have. Please see the Annex for your local data protection authority.