GrassrootsFC ("we", "us") is operated by Barazovsky Limited, a UK-based company. We provide website hosting and management tools for grassroots football clubs.
We are the data controller for personal data collected through the GrassrootsFC platform itself (e.g., admin account details, billing information). For content uploaded by clubs (including photographs, documents, and form submissions), the club is the data controller and GrassrootsFC acts as a data processor.
For any data protection questions or requests, contact us at hello@grassrootsfc.co.uk.
When a visitor submits a form on a club website (contact form, join enquiry, etc.), we capture and store:
Submissions identified as spam by our automated checks (honeypot field, timing, content heuristics, IP-rate limits) may be silently discarded without notification to either the visitor or the club.
To protect the platform from abuse (signup farming, form spamming, API hammering), we maintain short-lived counters keyed by source IP address and/or club account. Each counter row stores: a counter key (e.g. signup-ip-1.2.3.4), a count, and a timestamp. Rows auto-expire on a rolling window (typically 1 hour or 24 hours) and are then permanently deleted by DynamoDB's TTL mechanism. No personal data is stored in counters beyond the IP address embedded in the key.
Clubs on Club or Pro plans can send branded emails to a list of recipients via the platform's "Send Email" feature. When an admin uses this feature, we store:
The suppression list is the lawful mechanism by which we honour individual unsubscribe requests under UK GDPR and PECR. We retain it indefinitely (see section 10) — removing an entry would risk re-sending to someone who explicitly opted out.
To be clear about our practices:
| Purpose | Legal basis (UK GDPR) |
|---|---|
| Operating your club account and website | Performance of contract (Art. 6(1)(b)) |
| Processing subscription payments | Performance of contract (Art. 6(1)(b)) |
| Processing shop orders and customer payments | Performance of contract (Art. 6(1)(b)) |
| Sending service emails (welcome, password reset, admin invitations, subscription receipts) | Performance of contract (Art. 6(1)(b)) |
| Service announcements and platform updates | Legitimate interest (Art. 6(1)(f)) |
| Improving the platform and fixing bugs | Legitimate interest (Art. 6(1)(f)) |
We share data with the following third-party services, and only these services, to operate the platform:
| Service | Purpose | Data shared | Location |
|---|---|---|---|
| Amazon Web Services (AWS) | Hosting, storage (S3), database (DynamoDB), content delivery (CloudFront) | All platform data | EU-West-1 (Ireland) |
| AWS SES (Simple Email Service) | Transactional email delivery (password resets, welcome emails, admin invitations) and broadcast emails sent by club admins via the Send Email feature | Email addresses, email subject + body, delivery/bounce/complaint telemetry | EU-West-1 (Ireland) |
| AWS SNS (Simple Notification Service) | Routes SES bounce and complaint events back to the platform so we can auto-update each club's suppression list | Bounced/complained email addresses with associated club identifier | EU-West-1 (Ireland) |
| AWS Rekognition | Automated moderation of uploaded images — screens for explicit or harmful content at the point of upload. Images are not used to train any model | Uploaded images (player, team, badge, gallery and content images) | EU-West-1 (Ireland) |
| Stripe | Payment processing for platform subscriptions (Club, Pro plans) | Email, name, payment details (handled directly by Stripe) | EU / US (Stripe infrastructure, governed by Standard Contractual Clauses) |
| Stripe Connect | Payment processing for club shop orders (parents buying kit, tickets, etc.) — each club has its own Connect account | Buyer email, name, delivery address, order amount, payment details (handled directly by Stripe) | EU / US (Stripe infrastructure, governed by Standard Contractual Clauses) |
We do not share data with any other third parties. If a club chooses to enable Google Analytics (see section 8), that is the club's own integration and their responsibility.
All platform data is stored within the European Economic Area:
Your data stays in the EU. Stripe may process payment data outside the EEA; these transfers are covered by Standard Contractual Clauses and adequacy decisions as required by UK GDPR.
GrassrootsFC uses essential cookies and local storage by default. On this site we also use Google Analytics for visitor analytics — its cookies are set only if you accept them in our cookie banner. Decline, and no analytics cookies are used.
| Type | Name / purpose | Essential? |
|---|---|---|
| Auth token | Admin session authentication | Yes — required for admin login |
| localStorage | Shopping cart contents ({clubId}_cart) |
Yes — required for shop functionality |
| localStorage | Cookie consent preference (grfc_cookie_consent) |
Yes — records your cookie choice |
| Cookies (Stripe) | Set during checkout for payment security | Yes — required for payments |
| Cookies (Google Analytics) | Site usage analytics (_ga, _ga_*) |
No — set only if you accept cookies |
If a club enables Google Analytics on its own site, Google's cookies are set there only after the visitor accepts the cookie banner (see section 8).
Clubs can optionally add a Google Analytics (GA4) tracking ID in their settings. If enabled:
GrassrootsFC shows a cookie consent banner on your club website and loads Google Analytics only after a visitor accepts. GrassrootsFC does not control or have access to the Google Analytics data collected on club websites. As the data controller for your club's site, you remain responsible for:
If you do not add a GA tracking ID, no Google scripts or cookies will be loaded on your site.
GrassrootsFC accounts can only be created by individuals aged 18 or over. We do not knowingly collect personal data directly from children.
However, we recognise that grassroots football clubs regularly work with young players, and clubs may upload content that includes photographs or information about minors (e.g., match photos, team photos, award presentations).
In this context:
If you believe that a photo or personal data of a minor has been uploaded without proper consent, please contact us immediately at hello@grassrootsfc.co.uk and we will act promptly to investigate and remove it if necessary.
Under the UK General Data Protection Regulation and the Data Protection Act 2018, you have the right to:
To exercise any of these rights, email us at hello@grassrootsfc.co.uk. We will respond within 30 days.
If you are a member of a club and want to exercise your rights regarding data held on a club website (e.g., your photo in a gallery, a form submission), please contact the club directly in the first instance, as they are the data controller for that data. If you are unable to resolve the matter with the club, contact us and we will assist.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe your data has been handled unlawfully.
We protect your data using:
Your data is stored within the European Economic Area (AWS Ireland). Some third-party services (primarily Stripe) may process data outside the EEA. These transfers are covered by Standard Contractual Clauses or adequacy decisions as required by UK GDPR.
We may update this policy from time to time. If we make significant changes, we will notify club administrators by email. The "last updated" date at the top of this page will always reflect the current version.
For data protection questions, data subject requests, or any privacy concerns, contact us at:
Barazovsky Limited
United Kingdom