FootyBase is designed with GDPR compliance in mind. This page explains how the platform helps your club meet its obligations under the UK General Data Protection Regulation and the Data Protection Act 2018.
Your club as data controller
When your club uses FootyBase to manage player registrations, coach records and parent data, your club acts as the data controller — meaning you are responsible for deciding what data is collected and why. FootyBase acts as your data processor, processing data on your behalf under your instructions.
As data controller, your club must ensure it has a valid legal basis for collecting and processing personal data. Typical legal bases for football clubs include:
- Contract — processing necessary to manage membership and collect fees
- Legitimate interests — club administration and safeguarding
- Legal obligation — FA registration requirements
- Consent — photographs, marketing communications
Data processing agreement
As required by UK GDPR Article 28, FootyBase operates as a data processor under a data processing agreement with each club. By using FootyBase, you agree to the terms of our Data Processing Agreement, which covers:
- The nature and purpose of processing
- The type of personal data processed
- Security measures in place
- Sub-processors used (GoCardless, Brevo)
- Data subject rights procedures
- Data breach notification obligations
What FootyBase does to keep data safe
- All data is stored on UK-based servers
- All data in transit is encrypted using TLS 1.2 or higher
- Access is controlled via role-based permissions — coaches only see their own squad, parents only see their own children
- JWT authentication with automatic session expiry
- Regular security updates and server hardening
- No data is shared with third parties beyond GoCardless (payments) and Brevo (email delivery)
- Payment data is never stored on FootyBase servers — handled entirely by GoCardless
Data subject rights
FootyBase helps your club respond to data subject rights requests:
- Right of access: Player and parent data can be viewed and exported from the admin dashboard
- Right to rectification: Admins can update any personal data at any time
- Right to erasure: Players and users can be deleted from the system by admins
- Data portability: Data can be exported to Excel from the financial and registration sections
When a data subject makes a rights request to your club, you have 30 days to respond. Contact us at elliott.cook@icloud.com if you need assistance fulfilling a request.
Data retention
Your club should establish a data retention policy appropriate to its needs. As a guide:
- Active player records — retain for the duration of membership
- Former player records — retain for 3 years after last season
- Payment records — retain for 7 years (HMRC requirement)
- Safeguarding records — follow FA guidance (typically minimum 7 years)
- DBS certificate records — retain for duration of role plus 6 months
Data breaches
In the event of a data breach, FootyBase will notify affected clubs within 72 hours of becoming aware of the breach, as required by UK GDPR Article 33. Your club may then need to notify the ICO and/or affected individuals depending on the nature and risk of the breach.
Sub-processors
FootyBase uses the following sub-processors:
- GoCardless Ltd — Direct Debit payment processing (FCA authorised, UK-based)
- Brevo (Sendinblue) — Transactional email delivery
- IONOS SE — UK-based server hosting
Contact our DPO
For any GDPR-related queries, data subject requests or to request a copy of our Data Processing Agreement, contact us at elliott.cook@icloud.com.
You can also contact the Information Commissioner's Office directly at ico.org.uk or by calling 0303 123 1113.