ClubFlow uses a handful of strictly necessary cookies: to keep you signed in, remember your language preference, and record this acknowledgment. No analytics, no advertising, no third parties.
How ClubFlow collects, uses and looks after personal data, written to match what the product actually does, not a generic template.
Last updated
22 May 2026
Effective from
22 May 2026
Version
2.1
Jurisdiction
Sweden (EU)
This text is a draft. Legal counsel review is pending before publication.
Summary
ClubFlow is a tool football clubs use to run themselves, managing teams, players, fixtures, development plans and scouting. To do that we hold the information the club enters about the people inside it. This notice explains exactly what we hold, why, who else sees it, and what you can ask us to do with it.
Only club staff (owners, administrators, coaches and scouts) have ClubFlow accounts. Players and their parents do not sign in to the platform; their data is recorded and managed by the club staff that works with them.
Plain-language version
We hold the data a club enters into the product, plus the account details of the people who sign in. We do not upload photos of people. We do not sell data, run advertising, or share it with anyone for marketing. We keep it in the EU. You can ask to see, correct or delete your data. Write to privacy@theclubflow.com.
Who we are
ClubFlow is the team that builds and operates the ClubFlow platform. There are two layers of responsibility:
For the data a club enters into the platform (squad lists, fixtures, development notes, scouting records), the club is the data controller and ClubFlow acts as its data processor.
For account data we hold about the people who sign in (your name, email, the clubs and roles you have access to), ClubFlow is the controller.
For privacy questions or to exercise your rights under GDPR, write to privacy@theclubflow.com.
Data we collect
Everything below is data we either capture during sign-up or that club staff type into the product. We do not import personal data about players from any external source today. Optional fields are marked accordingly.
Category
Fields
Source
Account
Email, first name, last name, optional phone, language preference
Provided during sign-up or invitation acceptance
Club membership
Clubs you belong to, your role within each club, the teams you are assigned to
Set by the club admin who invited you
Player profile
First name, last name, date of birth, gender, nationality, preferred foot
Entered by club staff
Parent height (optional)
Self-reported mother and father height in centimetres
Entered by club staff when used; only consumed by the player’s maturation-forecast feature
Entered by club staff. We do not capture medical diagnoses.
Scouting records
For tracked prospects: name, date of birth, gender, nationality, position, current club, scout notes
Entered by scouts within the club
Public application form
First name, last name, email, date of birth
Submitted by the prospect (or their guardian) using a club’s public application link
Authentication & usage
IP address and timestamps (Supabase Auth logs), session tokens
Captured automatically when you sign in
Consent records
Which policy version you accepted and when
Recorded at sign-up and whenever you accept a policy update
What we do not collect
We do not upload photos of players or any other people. We do not ask for personnummer. We do not store medical diagnoses. We do not run web-analytics tracking (no pages-visited heatmap, third-party tag, or marketing pixel). We do not handle payment-card data.
External sources we read from
A club can connect optional integrations that let ClubFlow read data from an external system. We never push data the other way.
Svenska Fotbollförbundet (SvFF). When a club connects SvFF, ClubFlow reads the club’s team list, fixtures, standings and opponent crests. The connection is read-only; no club, player or staff data is sent back to SvFF.
How we use it
We use the data above only to run the parts of the product the club is using:
Show squad lists, fixtures, standings and development plans to the right people inside the club.
Track minutes played across the season so coaches can balance playing time.
Run the maturation forecast for a player when parent-height data has been entered.
Match scout reports and application-form submissions to the right prospect records.
Send transactional email tied to the account itself: sign-up verification, password resets, invitations.
Diagnose bugs, monitor service health, and keep the platform secure.
We do not use any of this data for advertising. We do not profile users. We do not train machine-learning models on personal data.
Lawful basis (GDPR)
Under Article 6 of the GDPR, our lawful bases are:
Contract
Holding your account data and providing the features the club has chosen to use.
Legitimate interest
Keeping the service running, diagnosing bugs and protecting it from abuse. We balance this against the rights of the people in the system; you can object at any time.
Consent
Acceptance of this notice and the terms of service at sign-up. Consent is recorded so we can demonstrate compliance under GDPR Art. 7.
Who we share with
We use a small number of subprocessors to operate the platform. Each is bound by a written data-processing agreement that prohibits any other use of the data. We describe them by category rather than naming individual vendors here, so this notice stays accurate when we change a supplier.
Category
Purpose
Location
Database and authentication provider
Storing the data described above and authenticating sign-ins
EU region
Transactional email provider
Delivering invitations and similar account email that the platform sends on a club’s behalf
EU region
We do not transfer personal data outside the EU/EEA. If that ever changes, we will revise this notice and email every account holder at least 30 days in advance.
How long we keep it
We keep data for as long as it is needed to run the club, then we erase or anonymise it on a published schedule. The same retention schedule applies to every club on the platform.
Active players: kept while the player is on the club roster. When a player is marked as having left the club, a scheduled job anonymises their contact-grade fields (name, date of birth, nationality, parental heights) 12 months later by default; the roster shell remains so historical match and lineup stats stay attributable.
Players removed at the club’s request: soft-deleted for a grace window of 1 month (the club can restore an accidental delete during this window), then hard-deleted by a scheduled job.
Cold scouting prospects: prospects marked as cold (no longer being tracked) and not touched for 24 months are hard-deleted, including scout reports, match notes, and free-form notes.
Audit logs: retained for 24 months; older rows are removed by the scheduled retention job.
Feedback / bug reports: resolved reports are removed 12 months after closure; reports still flagged actionable are kept until they are resolved.
Staff account data:kept while the staff member’s account is active. When a staff account is deleted we anonymise the personal data we hold about that person; the records they created inside the platform (lineups, notes, scouting reports) stay with the club.
Club offboarding:when a club terminates the contract we provide a structured export on request and then erase the club’s data set on the schedule the contract specifies. The automated 30-day self-service export window is a future enhancement; until it lands, the export is run manually by our team.
Consent records: retained for the period required to demonstrate compliance under GDPR Art. 7(1), even after a staff account is closed.
Authentication logs: retained by our database and authentication provider for their default log-retention window, which is short and used only for security and diagnostics.
Your rights
Under GDPR, the people whose data we hold have the right to:
Access: receive a copy of the personal data we hold about you (Art. 15).
Rectification: correct anything that is wrong. Most fields can be edited in-product directly (Art. 16).
Erasure: ask us to delete your personal data, subject to the retention items above (Art. 17).
Restriction: ask us to pause processing while a dispute is being resolved (Art. 18).
Portability: receive your data in a machine-readable format (Art. 20).
Objection: object to any processing we are doing on the basis of legitimate interest (Art. 21).
Because players and their parents do not have ClubFlow accounts, rights requests about a player’s data are usually fastest if you first contact the club itself. The club is the data controller for the data it entered about its players. If the club cannot help, or your request concerns account data ClubFlow controls, email privacy@theclubflow.com. We respond within the time required by GDPR Art. 12(3): at most 30 days, typically much sooner.
Under-18 players
A large share of the data inside ClubFlow concerns players who are under 18. The club, not us, gathers guardian consent where Swedish law requires it. Inside the platform we apply the same rules as for any other player, with two practical guarantees:
Coach commentary, development notes and skill ratings are visible only to staff with role-based access to that team.
Injury and absence notes are restricted to coaching-staff roles and are never exposed in any export shared outside the club.
We do not upload photos of players, and we do not run in-product features that would publish player names or details on the open internet without explicit, per-player guardian consent recorded in the system.
No player data is used for marketing, for analytics outside of in-product features, or for training third-party models.
Security
Personal data is encrypted in transit and at rest using the industry-standard encryption provided by our database and authentication subprocessor. Access to production data is restricted to the small number of people who need it to run the service, and is logged.
If a personal-data breach occurs that is likely to result in a risk to the rights of any individual, we notify the affected clubs and IMY within 72 hours, as required by Article 33.
Changes to this notice
When we update this notice we list what changed at the top of the new version. For material changes that affect how we process personal data, we ask for renewed consent the next time you sign in and email every account holder at least 30 days before the effective date. Minor wording fixes are noted in the changelog but do not trigger an email.
Questions about this notice
Our privacy team reads every message and responds within five working days.