Privacy Policy

Last updated: March 2026

1. Who we are

GrassrootsFC ("we", "us") is operated by Barazovsky Limited, a UK-based company. We provide website hosting and management tools for grassroots football clubs.

We are the data controller for personal data collected through the GrassrootsFC platform itself (e.g., admin account details, billing information). For content uploaded by clubs (including photographs, documents, and form submissions), the club is the data controller and GrassrootsFC acts as a data processor.

For any data protection questions or requests, contact us at hello@grassrootsfc.co.uk.

2. What data we collect

Club administrators (when you sign up and use the platform)

Name and email address
Password (stored securely hashed, never in plain text)
Club name, badge image, and club colours
Club contact details (email, phone) if provided in settings
Social media links if provided

Content data (uploaded by club admins)

Text content (news articles, page content, team information, event details)
Images and photographs (including gallery albums and product images)
Documents (PDFs, Word documents)
Product listings and shop configuration

Club website visitors

No personal data is collected by default from visitors browsing a club website
If a visitor submits a contact or join form, we collect the information they provide (name, email, message)
If a visitor uses the club shop, we collect order information (name, email, delivery address) to process the order

Shop customers

Name, email, and delivery address for order fulfilment
Payment details are handled entirely by Stripe — we never see or store card numbers

Usage data

Server logs (IP addresses, request paths) retained for security and debugging
If a club enables Google Analytics, Google collects additional usage data (see section 8)

3. What we do NOT do

To be clear about our practices:

We do not sell your data to anyone
We do not send advertising or marketing emails (unless you explicitly opt in)
We do not profile users or build advertising profiles
We do not run uploaded images through AI analysis, machine learning, or automated content recognition tools
We do not share your data with third parties except the sub-processors listed in section 5
We do not use your club's content for any purpose other than providing the service

4. How we use your data

Purpose	Legal basis (UK GDPR)
Operating your club account and website	Performance of contract (Art. 6(1)(b))
Processing subscription payments	Performance of contract (Art. 6(1)(b))
Processing shop orders and customer payments	Performance of contract (Art. 6(1)(b))
Sending service emails (welcome, password reset, admin invitations, subscription receipts)	Performance of contract (Art. 6(1)(b))
Service announcements and platform updates	Legitimate interest (Art. 6(1)(f))
Improving the platform and fixing bugs	Legitimate interest (Art. 6(1)(f))

5. Sub-processors and third parties

We share data with the following third-party services, and only these services, to operate the platform:

Service	Purpose	Data shared	Location
Amazon Web Services (AWS)	Hosting, storage (S3), database (DynamoDB), content delivery (CloudFront)	All platform data	EU-West-1 (Ireland)
AWS SES	Transactional email delivery (password resets, welcome emails, admin invitations)	Email addresses and email content	EU-West-1 (Ireland)
Stripe	Payment processing for subscriptions and shop orders	Email, name, payment details (handled directly by Stripe)	EU / US (Stripe infrastructure)

We do not share data with any other third parties. If a club chooses to enable Google Analytics (see section 8), that is the club's own integration and their responsibility.

6. Data storage and location

All platform data is stored within the European Economic Area:

Database: Amazon DynamoDB in AWS EU-West-1 (Ireland)
File storage: Amazon S3 in AWS EU-West-1 (Ireland)
Content delivery: Amazon CloudFront (edge caching globally, origin in Ireland)

Your data stays in the EU. Stripe may process payment data outside the EEA; these transfers are covered by Standard Contractual Clauses and adequacy decisions as required by UK GDPR.

7. Cookies and local storage

GrassrootsFC uses only essential cookies and local storage. We do not use tracking cookies.

Type	Name / purpose	Essential?
Auth token	Admin session authentication	Yes — required for admin login
localStorage	Shopping cart contents (`{clubId}_cart`)	Yes — required for shop functionality
localStorage	Cookie consent preference (`grfc_cookie_consent`)	Yes — records your cookie choice
Cookies (Stripe)	Set during checkout for payment security	Yes — required for payments

If a club enables Google Analytics, Google will set its own cookies on the club website. This is the club's responsibility — see section 8.

8. Google Analytics (optional, club-controlled)

Clubs can optionally add a Google Analytics (GA4) tracking ID in their settings. If enabled:

Google Analytics scripts will be loaded on the club's public website
Google will collect visitor data according to Google's Privacy Policy
Google will set tracking cookies on visitors' browsers

GrassrootsFC does not control or have access to the Google Analytics data collected on club websites. If you enable GA, you are responsible for:

Displaying a cookie consent banner on your club website
Complying with Google's terms of service
Informing your website visitors about the use of analytics cookies

If you do not add a GA tracking ID, no Google scripts or cookies will be loaded on your site.

9. Children's data and safeguarding

GrassrootsFC accounts can only be created by individuals aged 18 or over. We do not knowingly collect personal data directly from children.

However, we recognise that grassroots football clubs regularly work with young players, and clubs may upload content that includes photographs or information about minors (e.g., match photos, team photos, award presentations).

In this context:

The club is the data controller for any personal data of minors that it uploads to the platform
Clubs are responsible for obtaining appropriate parental or guardian consent before uploading photos or personal data of anyone under 18
Clubs should follow their own safeguarding policies, as well as any requirements from the FA, county FA, or their league
The platform provides a safeguarding page template for clubs to publish their safeguarding information
GrassrootsFC does not independently verify that consent has been obtained — this responsibility lies with the club

If you believe that a photo or personal data of a minor has been uploaded without proper consent, please contact us immediately at hello@grassrootsfc.co.uk and we will act promptly to investigate and remove it if necessary.

10. Data retention

Active accounts: Data is retained for as long as your account is active
Closed accounts: Data is retained for 30 days after account closure to allow for recovery or export, then permanently deleted from both S3 (files, images, documents) and DynamoDB (database records)
Shop orders: Order records are retained for 6 years for tax and accounting purposes
Contact form submissions: Retained until deleted by the club admin
Server logs: Retained for 90 days for security and debugging

11. Your rights under UK GDPR

Under the UK General Data Protection Regulation and the Data Protection Act 2018, you have the right to:

Access — request a copy of the personal data we hold about you
Rectification — ask us to correct inaccurate data
Erasure — ask us to delete your data (subject to legal retention requirements)
Portability — receive your data in a machine-readable format
Restriction — ask us to limit how we process your data
Objection — object to processing based on legitimate interest

To exercise any of these rights, email us at hello@grassrootsfc.co.uk. We will respond within 30 days.

If you are a member of a club and want to exercise your rights regarding data held on a club website (e.g., your photo in a gallery, a form submission), please contact the club directly in the first instance, as they are the data controller for that data. If you are unable to resolve the matter with the club, contact us and we will assist.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe your data has been handled unlawfully.

12. Data security

We protect your data using:

Encryption in transit (HTTPS/TLS for all connections) and at rest (AWS server-side encryption)
Hashed passwords (never stored in plain text)
Role-based access controls limiting who can access production systems
Secure presigned URLs for file uploads (time-limited, single-use)
Regular security reviews of our infrastructure

13. International transfers

Your data is stored within the European Economic Area (AWS Ireland). Some third-party services (primarily Stripe) may process data outside the EEA. These transfers are covered by Standard Contractual Clauses or adequacy decisions as required by UK GDPR.

14. Changes to this policy

We may update this policy from time to time. If we make significant changes, we will notify club administrators by email. The "last updated" date at the top of this page will always reflect the current version.

15. Contact us

For data protection questions, data subject requests, or any privacy concerns, contact us at:

hello@grassrootsfc.co.uk

Barazovsky Limited
United Kingdom