Privacy policy

1. Data Controller

ClubSystem is the data controller for personal data processed in connection with our own website, sales, onboarding, support, billing, and platform administration. For privacy-related inquiries about these activities, contact us at: contact@clubsystem.app

If you submit personal data on a club booking page powered by ClubSystem, the club shown on that booking page is the controller of your reservation data. In that case ClubSystem acts on behalf of that club as a processor providing the booking infrastructure.

2. What Data We Collect

When you register your club, contact us, or use our services, we may collect:

• Registration data: Club name, address, contact email, phone number (optional)
• Account data: Username, password (encrypted), admin contact information
• Reservation-platform data: Reservation details and customer contact data submitted on booking pages operated by clubs using ClubSystem. The relevant club is the controller of this data, while ClubSystem processes it under a data processing agreement.
• Usage data: System logs, session statistics, feature usage analytics
• Technical data: IP addresses, browser type, device information, cookies

3. Purpose and Legal Basis

We process personal data for the following purposes:

• Service delivery — providing booking system functionality, SMS notifications, account management to clubs using ClubSystem (Legal basis: Contract performance, Art. 6(1)(b) GDPR)
• Reservation processing on behalf of clubs — storing reservation requests, SMS verification, reminders, and reservation-related operational messages sent through the platform on behalf of a club (Legal basis applied by the club as controller; ClubSystem acts as processor under Art. 28 GDPR)
• Pre-contractual activities — responding to trial registration, preparing quotes, scheduling deployment (Legal basis: Pre-contractual measures, Art. 6(1)(b) GDPR)
• Communication — responding to inquiries, customer support, service updates (Legal basis: Legitimate interest, Art. 6(1)(f) GDPR)
• System security — preventing fraud, ensuring service stability, troubleshooting (Legal basis: Legitimate interest, Art. 6(1)(f) GDPR)
• Legal compliance — fulfilling legal obligations, accounting requirements (Legal basis: Legal obligation, Art. 6(1)(c) GDPR)

4. Data Recipients

Your data may be shared with the following third-party processors:

• Hetzner Online GmbH (Germany, EU) — Backend server and database hosting. All personal data (names, phone numbers, emails, booking history) is stored on Hetzner infrastructure. EU-based; no Standard Contractual Clauses required.
• Netlify, Inc. (USA) — Frontend website hosting and CDN. Processes IP addresses, cookies, and page requests. Data transfers covered by Standard Contractual Clauses (SCCs).
• Resend, Inc. (USA) — Transactional email delivery (verification emails, notifications). Processes email addresses and email content. Data transfers covered by Standard Contractual Clauses (SCCs).
• SMSAPI.pl (Poland, EU) — SMS delivery for booking verification codes and notifications. Processes phone numbers and message content. EU-based.
• Sentry (Functional Software, Inc.) (USA) — Error monitoring and performance tracking. May process error stack traces, browser metadata, and URLs containing anonymized reservation identifiers. Sensitive identifiers (UUIDs, phone numbers) are scrubbed before transmission. Data transfers covered by Standard Contractual Clauses (SCCs).
• PostHog, Inc. (USA, EU Cloud) — Product analytics and user behaviour tracking on booking and admin pages. Processes event data (page visits, feature usage, anonymized user actions) only when you consent to analytics cookies. Data is stored in Frankfurt, Germany (EU) via PostHog EU Cloud. EU data residency — no Standard Contractual Clauses required.
• Legal authorities — when required by law or to protect our legal rights.

All data processors are bound by appropriate Data Processing Agreements (DPAs) in accordance with GDPR Art. 28.

5. Data Retention

We retain your personal data for the following periods:

• Registration inquiries: 12 months from last contact
• Active accounts: Duration of service usage plus 30 days after termination
• Reservation-platform data: retained according to the club's instructions as controller and the service configuration used for operational purposes
• Financial records: As required by law (typically 5-7 years)
• Technical logs: 90 days for security and troubleshooting purposes

After these periods, data is securely deleted or anonymized.

6. Your Rights

Under GDPR, you have the following rights:

• Right to access — request a copy of your personal data
• Right to rectification — correct inaccurate or incomplete data
• Right to erasure — request deletion of your data ("right to be forgotten")
• Right to restriction — limit how we process your data
• Right to data portability — receive your data in a structured format
• Right to object — object to processing based on legitimate interest
• Right to withdraw consent — where processing is based on consent, withdraw it at any time
• Right to lodge a complaint — file a complaint with your local data protection authority

To exercise these rights, contact us at contact@clubsystem.app for data controlled directly by ClubSystem. If your request concerns reservation data submitted to a specific club, please contact that club first as the controller named on the booking page. We will assist the club as processor where required.

7. Cookies and Tracking

Our website uses cookies and similar technologies to enhance your interactions with our website and services. This includes essential cookies for system functionality (authentication, session management) and analytics cookies (Google Analytics, PostHog) for traffic analysis, product analytics, and improving our services.

By accessing our website and using our services, you agree to let us use cookies and similar technologies. You can control cookies through your browser settings, but disabling essential cookies may affect service functionality.

For more information about how we use cookies and how to manage your preferences, please refer to this Privacy Policy or contact us at contact@clubsystem.app.

8. Data Security

We implement appropriate technical and organizational measures to protect your data:

• Encrypted data transmission (HTTPS/TLS)
• Password encryption using industry-standard algorithms
• Regular security updates and vulnerability assessments
• Access controls and authentication mechanisms
• Secure backup procedures

9. International Data Transfers

Most of your data is stored and processed within the European Economic Area (EEA): our backend server is hosted by Hetzner Online GmbH (Germany), and SMS services are provided by SMSAPI.pl (Poland).

Some service providers are based outside the EEA (USA): Netlify (hosting/CDN), Resend (email delivery), and Sentry (error monitoring). Transfers to these providers are safeguarded by Standard Contractual Clauses (SCCs) approved by the European Commission under GDPR Art. 46(2)(c). PostHog (product analytics) uses EU Cloud infrastructure hosted in Germany and does not require SCCs.

10. Children's Privacy

Our services are not directed to individuals under 16 years of age. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately.

11. Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices or legal requirements. Significant changes will be communicated via email or prominent notice on our website.

12. Contact Us

For any questions or concerns about this Privacy Policy or our data practices:

Email: contact@clubsystem.app

Subject line: Privacy Policy Inquiry