Apex Action Firearms
Privacy Policy
Last updated 26 June 2026
This policy explains what personal information we collect when you book or enrol on a course, why we collect it, who we share it with, how long we keep it, and the rights you have over it. We've tried to write it in plain English rather than legal boilerplate.
Who we are
Apex Action Firearms Ltd is the “data controller” for the personal information described in this policy — meaning we decide what data is collected and how it's used.
- Company name: Apex Action Firearms Ltd
- Registered in England & Wales, company number 17244910
- Registered office: 82A James Carter Road, Mildenhall, IP28 7DE
- Contact for any privacy question or request: [email protected]
We have not appointed a Data Protection Officer. We're a small company and don't carry out large-scale or high-risk processing, so we're below the threshold at which UK GDPR makes a DPO mandatory. You can raise any data protection matter with us directly at the email above.
What we collect
We only collect what we need to run our courses and meet our legal duties. Depending on how far you go through booking and enrolment, this can include:
- Booking data — your name, email address and phone number.
- Identity data — photo ID (passport or driving licence) and two proofs of address, which you upload through the enrolment portal so we can verify who you are before live-fire training. If you bring your own firearm, this also includes the front covers of your Firearms Certificate (FAC) and/or Shotgun Certificate (SGC).
- Declaration data — the name you sign and the date and time you sign it when you complete the Section 21 firearms declaration online.
- Payment data — payments are handled by Stripe. We receive confirmation that a payment succeeded and a reference, but we never see or store your full card number.
- Technical data — your IP address and basic browser information, processed by Cloudflare as our hosting and security provider when you use the site.
How we collect it
We collect the above information:
- directly from you through the booking form on this website;
- from you through the enrolment portal, where you upload identity documents and sign the Section 21 declaration;
- from Stripe Checkout, when you pay (we receive the payment outcome, not your card details);
- through the emails we send via Resend (for example delivery confirmations); and
- automatically, as technical data, when your browser connects to the site through Cloudflare.
Why we use it
We use your personal information to:
- take and manage your course booking and your place on the day;
- communicate with you about your booking, enrolment and the course;
- verify your identity and eligibility, and comply with UK firearms law (including the Section 21 declaration);
- take payment and keep proper financial records; and
- keep the website secure and prevent fraud.
We do notuse your information for marketing, and we don't sell it to anyone.
Our lawful basis for using your data
UK GDPR requires us to have a lawful basis for each thing we do with your data. Ours are:
| What we do | Lawful basis | Why |
|---|---|---|
| Take and manage your booking; handle your identity documents for enrolment; communicate with you about the course | Performance of a contract | We need this information to provide the course you've booked. |
| Keep records of your Section 21 firearms declaration and identity checks | Legal obligation | We're required to operate lawfully under UK firearms law, which means recording that proper declarations and checks were made. |
| Retain booking and payment records for 7 years | Legal obligation | UK tax and accounting law requires us to keep financial records. |
| Process payments via Stripe | Performance of a contract | Needed to take payment for the course you've booked. |
| Site security, fraud prevention and basic analytics | Legitimate interests | We have a legitimate interest in keeping the site secure and understanding, in aggregate, how it's used — balanced against your privacy. |
| Non-essential cookies (if any are introduced) | Consent | We only set non-essential cookies if you agree via the cookie banner, and you can change your mind at any time. |
Where we rely on legitimate interests, you have the right to object — see “Your rights” below.
Who we share it with
We don't sell your data. We share it only with the service providers we need to run the business, and only as far as necessary. Each acts as our processor under a contract, and the first three may process limited data outside the UK under appropriate safeguards.
| Who | Why |
|---|---|
| Stripe | Takes your payment securely. Stripe handles your card details directly — we never receive them. |
| Resend | Sends the transactional emails relating to your booking and enrolment. |
| Cloudflare | Hosts the website and its database/document storage, and provides security and proxying. |
We may also disclose information where we're legally required to — for example to the police or a licensing authority in connection with firearms law, or to HMRC.
How long we keep it
- Bookings and identity documents — 7 years from the course date, to meet HMRC financial record-keeping and legal record retention requirements. After that, identity documents are deleted.
- Section 21 declarations — 7 years, as a record that the declaration was properly made.
- Anonymised analytics — kept on an ongoing basis. This data no longer identifies you.
If you ask us to erase your data, we'll delete your identity documents and remove the personal details from your booking. We may need to keep a minimal financial record of the transaction itself (with your personal details removed) to meet our legal obligations to HMRC — this record can no longer identify you.
Where your data is stored
Our data is stored using Cloudflare's infrastructure, and payment and email processing involve Stripe and Resend respectively. Some of these providers may process data outside the UK. Where they do, they rely on safeguards recognised under UK data protection law (such as the UK's International Data Transfer Agreement or equivalent) to keep your data protected to UK standards.
Your rights
Under UK GDPR you have the right to:
- Access — ask for a copy of the personal data we hold about you;
- Correction— ask us to correct data that's wrong or incomplete;
- Erasure — ask us to delete your data (subject to records we must keep by law);
- Portability — ask for your data in a portable format;
- Objection — object to processing we carry out on the basis of legitimate interests;
- Complaint— complain to the Information Commissioner's Office (ICO) if you think we've mishandled your data, at ico.org.uk/concerns. We'd ask that you contact us first so we can try to put things right.
How to exercise your rights
Email [email protected] with the subject line “Data request”, telling us what you'd like us to do. We may need to confirm your identity before we act, to make sure we don't release data to the wrong person. We'll respond within one month, and there's normally no charge.
Updates to this policy
We may update this policy from time to time — for example if we change how the site works or which providers we use. When we do, we'll change the “last updated” date at the top of this page. If a change significantly affects how we use your data, we'll take reasonable steps to let you know.