← Back to Gaffer HQ

Privacy Policy

Gaffer HQ Ltd · Version 1.0 · Last updated: May 2025

1. Who we are

GAFFER HQ is operated by Gaffer HQ Ltd, a company registered in England and Wales. We are the data controller for personal data collected through gafferhq.uk.

Privacy contact: [email protected]

2. What data we collect

Account data: Name, email, mobile number, role (manager/referee), and password (hashed).

Team data: Club name, age group, county, kit colour, league standard.

Location data: County (managers), town/city (referees) — used for regional matching.

Activity data: Availability posts, match requests, fixture records, messages.

Consent data: Timestamps and version numbers of privacy/terms consent.

Analytics: Aggregate page views via Plausible — no personal identifiers, no cookies.

3. Legal basis for processing

Contract: Account and profile data — necessary to provide the service.

Legitimate interests: Location data for regional matching; child player data for youth football administration.

Consent: Marketing emails — separate explicit opt-in required. You can withdraw at any time from Account Settings.

4. Child player data

GAFFER HQ accounts are for adults aged 18+ only. Managers may enter player names for squad administration. This data is:

  • Accessible only to the authorised manager and relevant club administrators
  • Never publicly visible
  • Enforced at database level via Row Level Security
  • Not shared with third parties

5. Third-party services

Supabase (database and auth) — data stored in EU region

Railway (hosting) — application hosting

Resend (transactional email) — email delivery only

Mapbox (maps) — pitch directory map view

Plausible (analytics) — cookieless, no personal data

Cloudflare (DNS/CDN) — DDoS protection and caching

We do not use Google Maps, Google Analytics, Google Fonts, or Google OAuth.

No personal data is shared with advertising networks.

6. AI disclosure

GAFFER HQ uses AI-assisted development tools. Your personal data is not used to train external AI models. Any AI-assisted recommendations (e.g. opponent suggestions) are advisory only — not binding decisions.

7. Cookies

We use one strictly necessary session cookie for authentication (Supabase Auth). No tracking cookies. No consent banner required. Plausible analytics is cookieless.

8. Your rights

Under UK GDPR, you have the right to: access your data, correct inaccuracies, erase your data, restrict processing, and data portability.

You can download your data and request deletion from Account Settings. We process deletion requests within 30 days.

Contact: [email protected] · You can also complain to the ICO.