Privacy Policy

Last Updated: May 14, 2026

1. Introduction

ClubFellow ("we", "us", "our") is committed to protecting your personal data. ClubFellow is a trading name and is not a registered limited company. This Privacy Policy explains how we collect, use, store, and disclose your information when you use the ClubFellow mobile application and associated services ("the Service").

We are the data controller for personal data processed when you use the Service directly. Where a club admin has invited you to their club, that admin is the data controller for club-specific data and ClubFellow acts as the data processor.

This policy is governed by the EU General Data Protection Regulation (GDPR) and the Cyprus Personal Data Protection Law (Law 125(I)/2018).

2. Data We Collect

Account Data (collected at registration):

  • Full name
  • Email address
  • Encrypted password (never stored in plaintext)
  • Optional: phone number, profile photo, bio
  • Terms acceptance timestamp and IP address at registration

Club & Activity Data:

  • Club memberships, roles, and join dates
  • Event attendance records
  • Poll votes (pseudonymised in results)
  • Member tags and external profile links (if added)
  • Last activity timestamp

Payment Data:

  • Transaction records (amount, date, status, Stripe payment intent ID)
  • Payment data is processed by Stripe — we do not store card numbers or full payment instrument details.

Technical Data:

  • Device FCM token for push notifications
  • Device platform (iOS/Android)
  • Crash reports and anonymised usage analytics (via Firebase Crashlytics)
  • IP address and approximate location (for rate limiting and security)

3. Legal Basis for Processing

We process your personal data on the following legal bases under Article 6 GDPR:

  • Contractual necessity (Art. 6(1)(b)): To provide you with the Service, manage your account, and process payments.
  • Legitimate interests (Art. 6(1)(f)): To detect and prevent fraud, ensure platform security, improve the Service, and send service-related communications.
  • Legal obligation (Art. 6(1)(c)): To retain transaction records as required by tax and accounting law.
  • Consent (Art. 6(1)(a)): For push notifications, which you may withdraw at any time in your device settings or via in-app notification preferences.

4. How We Use Your Data

  • To create and manage your account
  • To provide core Service features (clubs, announcements, events, polls)
  • To process payments and maintain transaction records
  • To send push notifications about club activity (requires device permission)
  • To send transactional emails (account verification, password resets, payment receipts) via Resend
  • To detect, prevent, and respond to fraud, abuse, or security incidents
  • To generate anonymised, aggregated analytics for club admins (member counts, attendance rates) — these do not identify individual users
  • To comply with legal obligations

5. Data Sharing & Third-Party Processors

We do not sell your personal data. We share data only with the following sub-processors, all operating under GDPR-compliant data processing agreements:

  • Stripe (stripe.com) — payment processing. Subject to Stripe's own Privacy Policy. Data may be transferred to the US under Standard Contractual Clauses.
  • Firebase / Google (firebase.google.com) — push notifications (FCM) and crash reporting (Crashlytics). Subject to Google's Data Processing Amendment. Firebase Crashlytics is used in the mobile app only — not on the landing page.
  • Resend (resend.com) — transactional email delivery.
  • Cloudinary (cloudinary.com) — media storage for profile photos and announcement images.
  • Railway / Render — cloud hosting for our backend. Servers located in the EU.

We may disclose your data to law enforcement or regulatory authorities if required by applicable law or valid legal process.

6. Member Directory

Your profile is not visible in any club's member directory by default. You can opt in to the directory for specific clubs individually in the app (Profile → Directory Visibility). You may opt out again at any time. Directory listings show only your name and optional external links — never your email or contact details.

7. Data Retention

  • Account data: Retained until you delete your account, after which it is immediately anonymised (name replaced with "Deleted User", email and phone removed, avatar removed).
  • Payment records: Retained for 7 years from the transaction date as required by EU and Cyprus tax law. This data is retained even after account deletion.
  • Consent audit records: Terms acceptance timestamp and IP address are retained for the duration of your account as evidence of valid consent under GDPR Article 7(1).
  • Push notification tokens: Deleted on logout or when the token is refreshed.
  • Crash reports: Retained by Firebase for 90 days per their standard policy.

8. Your Rights (GDPR)

Under the GDPR, you have the following rights:

  • Right of Access (Art. 15): Request a copy of the personal data we hold about you. You can export your data directly in the app: Settings → Account → Export My Data. You may also contact us at support@clubfellow.app.
  • Right to Rectification (Art. 16): Request correction of inaccurate data.
  • Right to Erasure / "Right to be Forgotten" (Art. 17): Delete your account in-app (Settings → Delete Account). This immediately anonymises your PII.
  • Right to Restriction (Art. 18): Request that we restrict processing of your data.
  • Right to Data Portability (Art. 20): Download a machine-readable export of your personal data via Settings → Account → Export My Data, or by contacting us.
  • Right to Object (Art. 21): Object to processing based on legitimate interests.
  • Right to Withdraw Consent: Revoke push notification consent via device settings or in-app notification preferences at any time.

To exercise any of these rights (other than deletion and data export, which are self-service in-app), contact us at support@clubfellow.app. We will respond within 30 days. You also have the right to lodge a complaint with the Cyprus Commissioner for Personal Data Protection (dataprotection.gov.cy) or your local supervisory authority.

9. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

  • All data in transit is encrypted via TLS/HTTPS.
  • Passwords are hashed using Django's PBKDF2 algorithm with SHA-256.
  • Authentication tokens are short-lived (24-hour access tokens, 30-day refresh tokens) and stored in encrypted device storage.
  • Database access is restricted to application servers only.
  • Payment data is handled entirely by Stripe — we never receive raw card details.

No method of transmission over the internet is 100% secure. We cannot guarantee absolute security but will notify you and relevant authorities without undue delay in the event of a personal data breach as required by GDPR Articles 33 and 34.

10. Children's Privacy

The Service is not directed to children under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16 without parental consent, we will delete it promptly. If you believe a child has provided us with personal data, please contact us at support@clubfellow.app.

Note: Club admins who manage clubs that include members under 16 (e.g. youth sports clubs) bear their own data controller responsibilities for those members' data and must ensure they have appropriate parental consent and lawful basis for processing under applicable law.

11. International Transfers

Your data is primarily processed on servers located within the European Union. Where data is transferred outside the EU/EEA (for example, to Stripe or Firebase servers in the United States), we ensure adequate safeguards are in place, including Standard Contractual Clauses (SCCs) as approved by the European Commission.

12. Cookies & Tracking

The ClubFellow landing page (clubfellow.app) does not use tracking cookies, advertising pixels, or third-party analytics. It is a static website served without any client-side tracking scripts. No cookie consent banner is required.

The ClubFellow mobile application does not use web cookies. Firebase Crashlytics (used in the app for crash reporting) operates at the OS level and does not use browser cookies.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or in-app notification at least 14 days before the changes take effect. The "Last Updated" date at the top of this policy will always reflect the most recent revision. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

14. Contact & Data Controller

ClubFellow is a trading name and is not a registered limited company. For any privacy-related requests or questions, contact our data protection contact at:
ClubFellow
support@clubfellow.app

We aim to respond to all requests within 30 days as required by GDPR.