Privacy Policy

Version v2 · 2026-06-14

Who we are

FixtureFlow ("we", "us") is a scheduling tool sold to local sports clubs. This policy explains how we process personal data when your club uses FixtureFlow.

Your club is the data controller for its members' data. FixtureFlow is the data processor — we host and process the data on the club's behalf under a Data Processing Agreement.

What data we collect

  • Member profile: name, email, phone (optional), photo (optional), playing grade/level, gender (optional).
  • Login: username (= email for members), password hash (bcrypt). We never store plaintext passwords.
  • Play history: which sessions a member checked in to, the matches they played, RSVPs to upcoming sessions.
  • Auth cookies: a signed session cookie (httpOnly, SameSite=Lax, 7-day TTL) and an optional "remember-me" cookie for the RSVP page.

We do not use third-party analytics, advertising, or tracking pixels.

Why we process it (lawful basis)

  • Contract — running sessions, generating fair fixtures, recording check-ins, sending nobody emails. This is essential for the service.
  • Consent — for members with their own login, accepted on first sign-in. The club admin attests they have a lawful basis (typically the member's prior consent or legitimate interest as part of club membership) when adding a member who doesn't yet have a login.

Where data lives

All FixtureFlow data is stored in the EU. We run two deployments: AWS Ireland (eu-west-1) and Fly.io Frankfurt (fra). No personal data leaves the EU.

Sub-processors: Amazon Web Services (EU regions only), Fly.io (EU regions only), Let's Encrypt (certificate authority — no personal data shared). A current list is maintained in our public sub-processor register.

How long we keep it

  • Sessions — auto-deleted after 5 days (only the 6 most-recent are kept per club).
  • RSVPs — retained for 6 months, then deleted.
  • Notifications (admin & member inbox) — retained for 3 months, then deleted.
  • Member rows — kept until the member or their admin deletes them, or until 24 months of inactivity (then auto-anonymised).
  • Audit logs — 24 months.

Your rights

  • Access & portability — download all data we hold about you from My profile → Download my data (machine-readable JSON).
  • Rectification — edit your email + photo any time from My profile; ask your club admin to fix your name/grade.
  • Erasure — ask your club admin to delete you, or click Take a break — pause my account on your profile. Deletion removes all your personal data, including match history references.
  • Restriction — same "pause my account" button stops processing your data without deleting it.
  • Object — we don't do marketing or profiling, but if you want to stop processing for any reason, contact your club admin.
  • Complaint — you have the right to lodge a complaint with the supervisory authority in your EU country.

Cookies & local storage

FixtureFlow uses only strictly necessary storage — no analytics, advertising, or cross-site tracking cookies. No consent prompt is required for these, but here's the full list:

Name Kind Lifetime Purpose
session Cookie (HttpOnly, SameSite=Lax) 7 days Keeps you signed in. Set after a successful login; cleared on logout / pause.
rsvp_name Cookie (SameSite=Lax) 90 days Remembers the name you typed on a public RSVP link so you don't retype it next time.
only-my-games:<session> localStorage Until you clear it Remembers your "show only my matches" filter preference per session schedule.

Breach notification

If we suspect a personal data breach, we notify the affected club admins without undue delay and, where required, the relevant supervisory authority within 72 hours. When a breach affects a child's records, we also notify the guardian on file in plain language.

Children and guardians

Some clubs enrol junior members. Whether this section applies to your club depends on a per-club setting Child memberships — managed by the club admin on the Club settings page, or by the operator on the Edit Club modal at /admin/clubs/. When the setting is off, the club's roster is adults-only by policy and the rest of this section does not apply.

For kids and guardians, in plain language:
  • If you are under 16, we ask a parent or guardian to say it's OK before we add you to any session.
  • We only store your name, your year of birth (year only, not the full date), and your playing grade. Not your address, school, or photo.
  • Your parent or guardian gets an email with a button to Approve or Decline.
  • Your parent or guardian can download everything we have for you, or delete it for good, any time — from a portal at /g/dsr.
  • When you turn 17, you take over your own consent — we stop asking your guardian and ask you instead.

What we collect

When your club has Child memberships enabled, we collect year of birth from every member at the club — not just juniors. The year is the only thing we need to answer "is this member under the consent age?" and we ask it of everyone so the answer is authoritative rather than guessed. Adults' year of birth is stored on their member row and not used for anything else. Existing members are prompted to add their year of birth when they next open the app.

For members under 16 we additionally collect:

  • Guardian contact: name, email, and relationship to the child (parent / guardian / other).
  • Guardian-consent metadata: timestamp, method (email round-trip), and the SHA-256 hash of the one-time link we sent. We never store the plaintext link.

We deliberately do not collect: full date of birth, school, home address, photo (blocked at upload for minors), biometric data, or any special-category data.

Lawful basis

Processing for members under 16 is performed on the basis of the guardian's consent (GDPR Art. 6(1)(a) + Art. 8). We collect that consent via a double-opt-in email round-trip. The age threshold is 16 — the conservative ceiling across all EU member states.

The guardian-consent flow

  1. An admin (or a public registration form) enters the kid's year of birth + the guardian's name, email and relationship.
  2. We mint a single-use, 32-byte random token (SHA-256 hex at rest) and email the plain link to the guardian.
  3. The guardian opens /g/consent/{token} and chooses Approve or Decline. Approving makes the kid active; declining leaves them inactive and no further data is processed.
  4. The link expires after 7 days. Admins can resend a fresh link from the Members page; resending invalidates any earlier link.

Guardian data-rights portal

The same email that approves consent can also exercise the child's GDPR rights without involving the club:

  1. Open /g/dsr and enter your guardian email.
  2. We email a portal link valid for 1 hour.
  3. Inside the portal you can download a JSON copy of any child's data, or permanently delete them. Deletion uses the same pseudonymisation logic as the admin path — match-history slots become "Deleted", the member row and any login are removed.

Each portal action is audit-logged with system actor (no club admin involved) under the guardian_dsr.* action namespace.

Aging up

When a junior crosses the consent age (16), a daily sweep clears the guardian fields on their member row. From that point on, their data is processed on the same basis as any adult member — typically their own self-consent on first sign-in. We preserve the consent timestamp as a historical audit anchor.

Photos for minors

Photo uploads are blocked at the server for any member who is a minor, regardless of whether the guardian gave consent for enrolment. The default position is "no photo until they age up."

Safeguarding

Clubs that enable child memberships attest in the Terms that they have appropriate safeguarding policies in place. FixtureFlow does not perform safeguarding checks itself.

Contact

Privacy questions: ask your club admin. They escalate to the FixtureFlow operator on your behalf.

Read our Terms of Service → Payments at FixtureFlow →