Privacy Policy
Last updated: March 9, 2026
1. Who We Are
YesGaffa is a multi-tenant SaaS platform providing financial management, matchday operations, sponsor CRM, and fan engagement tools for grassroots football clubs. References to “we”, “us”, or “our” refer to YesGaffa Ltd.
2. Data We Collect
Account data: name, email address, club role, authentication credentials.
Club operations data: financial transactions, match events, inventory records, member/volunteer details, sponsor contacts and agreements.
Fan data: display name, wallet balance, game entries, predictions, check-in location (with consent).
Payment data: processed by Stripe — we do not store card numbers.
Usage data: page views, feature usage, error logs, device information.
3. Lawful Basis for Processing
- Contract: to provide the service your club has subscribed to.
- Legitimate interests: platform security, fraud prevention, service improvement, and analytics.
- Legal obligation: financial record keeping (7 years for UK tax law).
- Consent: marketing communications, geolocation for fan check-ins, analytics cookies.
4. Sub-Processors
We share data with the following third-party services to operate the platform:
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, file storage | EU (Frankfurt) |
| Stripe | Payment processing, subscriptions | US/EU |
| Vercel | Application hosting, edge functions | Global CDN (London primary) |
| Resend | Transactional email delivery | US |
| SendGrid | Fallback email delivery | US |
| Square | POS payment integration (optional) | US/EU |
| OpenAI | AI content generation (social posts, Chairman AI briefings). Processes club names, financial summaries, and user-provided prompts. | US |
| Anthropic | AI content generation (briefings, analysis via Claude models). Processes club names, financial summaries, and user-provided prompts. | US |
| Google AI (Gemini) | AI content generation (fallback model). Processes club names, financial summaries, and user-provided prompts. | US |
| Firebase / FCM | Push notifications for chat messages and match alerts. Processes device tokens and notification content. | US |
| Sentry | Error tracking and performance monitoring. Processes error stack traces, device info, and anonymised user identifiers. | US |
| Wikimedia Foundation | Fetching team badge/logo images via the Wikipedia API. Sends team name search queries. IP addresses may be logged per Wikimedia Foundation Terms of Service. | US |
5. Data Retention
- User account data: retained for the lifetime of the account plus 14 days after deletion request.
- Financial records: 7 years (UK legal requirement). Anonymised after account deletion.
- Audit logs: 3 years.
- Telemetry and analytics: 2 years.
- Game audit logs: 3 years.
- Export files: 7 days after generation.
6. International Transfers
Some sub-processors are located outside the UK/EEA. Transfers are protected by Standard Contractual Clauses (SCCs) and the providers' compliance certifications. Supabase, our primary data store, hosts data in the EU (Frankfurt region).
7. Your Rights
Under UK GDPR, you have the right to: access, rectification, erasure, data portability, restriction of processing, and objection. You can exercise these rights via your Data Rights page or the in-app settings.
8. Cookies
We use essential cookies for authentication and session management. Optional analytics cookies are only set with your consent. See our Cookie Notice for details.
9. Contact
Data Protection Officer: dpo@yesgaffa.com
General privacy enquiries: privacy@yesgaffa.com
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO).
See also: Cookie Notice, Terms of Service, Data Rights.