Payments at FixtureFlow

How online payments work · who handles what · your rights under GDPR

FixtureFlow uses Stripe to process online membership payments — so card data never touches our servers. Each club is its own legal merchant on Stripe; FixtureFlow connects clubs and members but never holds the money. This page covers the data flow, your rights, fees, and refunds.

For members paying online

When your club has online payments enabled and a season has a price set, you'll be redirected to Stripe Checkout — a Stripe-hosted payment page — after submitting your registration on /join/{seasonID}.

What happens during payment:

  1. You fill in your name, email, and (optionally) grade/level/gender on FixtureFlow.
  2. You're redirected to a Stripe-hosted page at checkout.stripe.com. Card data goes directly from your browser to Stripe; it never passes through FixtureFlow's servers.
  3. Pay with card, Apple Pay, or Google Pay. Your bank statement shows your club's name (not "FixtureFlow") — your club is the legal merchant.
  4. Stripe redirects you back to FixtureFlow with a confirmation. A receipt is emailed to you directly by Stripe.
  5. Your membership shows as paid once Stripe notifies us (usually instant).

If you don't see your payment marked paid: refresh the page; the notification from Stripe usually arrives within a couple of seconds. If it persists, your club admin has a "Sync from Stripe" button on their roster that fetches the latest status manually. Contact your admin if you need that.

You can pause without paying. Clicking "Cancel" on the Stripe page returns you to FixtureFlow without a charge. Your registration is saved as pending; you can come back and complete the payment any time.

For club admins — connecting Stripe

Visit Admin → Billing in your sidebar to connect your club's Stripe account. About 5 minutes; you'll need:

  • A photo of your passport or driver's license (for Stripe's KYC)
  • Your club's IBAN for payouts
  • Your business address + the name you want to appear on card statements

Click "Connect Stripe" → you'll be redirected to Stripe-hosted onboarding. Stripe creates a connected account in your club's name, linked to the FixtureFlow platform. Once accepted you're returned to FixtureFlow with the connection active.

The opt-out toggle. If you'd rather not use online payments — or want to suspend them temporarily without disconnecting — flip the "Payment gateway" toggle on the same page. Members will fall back to the manual / screenshot-proof flow.

Receiving money. Stripe deposits payouts directly to your IBAN — usually 7-day rolling at first, daily after ~30 days of clean activity. Manage payouts, view dispute details, and download full transaction history at dashboard.stripe.com.

Per-season prices. Stripe Checkout is triggered when a season has a Price (€) set on the season form. Leave the price blank to keep that season on the manual flow (members enter a bank-transfer reference + optional screenshot).

Refunds & disputes

Refunds (admin-initiated). Open Admin → Payments, find the row, click "Refund". A modal lets you choose full or partial refund, pick a Stripe-visible reason (requested-by-customer / duplicate / fraudulent), and add an internal note. Stripe emails the cardholder a refund confirmation; the membership row updates within seconds.

Partial refunds are summed server-side against the original payment, so you can never refund more than was captured. You'll see "Refunded €X.XX" on the row once the refund settles.

Refunds initiated in the Stripe dashboard. If you issue a refund directly from dashboard.stripe.com instead, FixtureFlow picks it up automatically via webhook and updates the row.

Disputes (chargebacks). If a cardholder disputes the charge with their bank, Stripe notifies the club directly via the connected account. The club is the legal merchant — disputes are handled in Stripe's dashboard, not in FixtureFlow. Stripe's docs at stripe.com/docs/disputes are the canonical guide.

Security & PCI compliance

We never see card data. Stripe Checkout is hosted on checkout.stripe.com. The card number, CVC, and expiry travel browser → Stripe directly via HTTPS. They are never sent to FixtureFlow servers and never written to our database. We operate under PCI-DSS scope SAQ-A, the lowest tier reserved for merchants who fully outsource card handling to a PCI-DSS Level 1 provider (Stripe).

What we store about a payment:

  • Amount + currency
  • Stripe transaction id (pi_…) + charge id
  • Paid-at timestamp + status
  • Reference back to the member + season

What we never store: card numbers, CVC, expiry, cardholder name, billing address, or any Personal Account Number (PAN) data.

Webhook integrity. Stripe POSTs payment events to /webhooks/stripe over HTTPS. Each event is signed with a shared secret using HMAC-SHA256; FixtureFlow verifies the signature against the raw bytes before accepting any event. A unique constraint on the Stripe event id prevents replay attacks.

Strong Customer Authentication (PSD2). For EU-issued cards, Stripe runs 3-D Secure 2 (3DS2) authentication when required. Members may be prompted by their bank for a one-time code or biometric. This is non-negotiable for EU card payments and adds a meaningful fraud-prevention layer.

Refund authorisation. Refunds can only be issued by admin-role users on a club. Member-role accounts and unauthenticated visitors have no access to the refund UI or endpoint. Refund amounts are validated server-side against the original captured amount to prevent over-refunding.

Audit log. Every Stripe connect, disconnect, capability refresh, refund initiate, and refund outcome is written to the audit log with the actor's user id, target ids, and a timestamp. Visit Admin → Audit log to inspect.

GDPR & your rights as a member

When your club uses online payments, you are exercising your own decision to pay — that's the lawful basis. The detailed sub-processor list and full data-flow description live in our Privacy Policy. Highlights specific to payments:

Right to access
You can see your own payment history on your profile under "My memberships". For a full machine-readable export including payment IDs, click "Download my data" on the same page.
Right to rectification
If a payment is recorded incorrectly (wrong amount, wrong season), contact your club admin — they can edit manual records directly and refund / re-charge Stripe records.
Right to erasure
You can ask your club admin to delete your account. Your membership records (including Stripe transaction ids) are deleted from FixtureFlow. Stripe retains its own records of the transaction under its own policies — typically 7 years for tax + AML compliance. We can't override Stripe's retention; they're an independent controller for that purpose.
Right to portability
"Download my data" on your profile returns a machine-readable JSON file that includes your full payment history.
Right to object & complain
You can choose not to pay online — most clubs accept bank transfer + screenshot as an alternative. For data-protection complaints, contact your club admin first; you also have the right to lodge a complaint with your national supervisory authority (in Ireland: the DPC).

Stripe is a regulated payment institution (Stripe Payments Europe Ltd, Dublin, Ireland). Their privacy policy is at stripe.com/ie/privacy.

Fees & payouts

Stripe charges the club — not the member, not FixtureFlow — for processing:

  • 1.5% + €0.25 per transaction for EEA-issued cards
  • 2.5% + €0.25 per transaction for non-EEA cards
  • Refund: the percentage fee is returned; Stripe keeps the €0.25 fixed fee on a refund

FixtureFlow currently takes no platform fee — payments are pass-through (0%). If we ever introduce a SaaS fee on transactions, we'll communicate it before charging and update this page.

Payouts. Stripe deposits to the club's IBAN on a rolling schedule: 7-day rolling at first, daily after ~30 days of clean activity. The club admin sees the schedule + balance at dashboard.stripe.com.

Privacy Policy → Terms of Service → How FixtureFlow works →