Data Governance
GDPR & Data Governance
Cavefish Ltd · ICO Registration: ZB915633 · Last updated: January 2026
Lawful basis by processing type
Player welfare monitoring (platform deployments)
Basis: Article 6(1)(a) + Article 9(2)(a) — Explicit consent from each player. Under-18: parental/guardian consent additionally required.
Players may withdraw consent at any time. Withdrawal does not affect prior processing.
Manager Intelligence — press conference analysis
Basis: Article 6(1)(f) — Legitimate Interests. LIA-ED-SPORT-001 on file. Article 9 not engaged (AU analysis measures emotional state, not identity — manager is identified by event context, not processing).
DPIA-ED-SPORT-001 completed. Data subjects may object under Article 21.
Editorial and journalistic outputs
Basis: Article 6(1)(f) + DPA 2018 Schedule 2 Paragraph 26 journalism special purposes.
Commercial data feed (trading desk subscribers)
Basis: Article 6(1)(f) — Legitimate Interests. Subscribers operate under a Data Subscriber Agreement requiring their own lawful basis for downstream processing.
Automated decisions affecting individuals are prohibited under subscriber agreement.
Biometric data — Article 9 position
EchoDepth Sport processes facial Action Unit data, which may constitute biometric data under Article 9 UK GDPR depending on the context of processing.
- Platform deployments (player monitoring): Article 9 is engaged. Explicit consent is obtained from every player before processing begins. This is documented and auditable.
- Manager Intelligence: Our primary position is that Article 9 is not engaged — AU analysis identifies emotional state, not the individual. The manager is identified by the event context. This is documented in DPIA-ED-SPORT-001. Alternative Article 9(2)(g) basis applies to editorial outputs.
Data minimisation and retention
- Raw video footage is not retained after processing
- AU vector data is not retained beyond the processing window
- Only composite scores and outputs are retained, as specified in the applicable DPA
- Individual player baselines are recalibrated seasonally; prior baselines deleted unless DPA specifies otherwise
- On-premise deployment available for organisations requiring zero data egress
Enterprise deployment governance
All enterprise deployments of EchoDepth Sport include:
- Signed Data Processing Agreement (UK GDPR Article 28 compliant)
- Deployment-specific DPIA
- Player consent framework and consent documentation
- Welfare officer access controls and audit trail
- Data subject rights fulfilment process
For a governance pack, contact hello@cavefish.co.uk.
Governance documents
- Full Privacy Policy
- Legitimate Interests Assessment — LIA-ED-SPORT-001
- Data Protection Impact Assessment — DPIA-ED-SPORT-001
- Manager Intelligence Transparency Notice (Article 14)
- Data Subscriber Agreement