Privacy Policy

Last updated · June 2026

This page explains what personal data Fairway collects, why we collect it, who we share it with, and what rights you have under UK and EU data-protection law. We've tried to write it in plain English rather than legalese.

Two roles: if you're a golf club using Fairway to run your members' app, you are the Data Controller for your members' personal data and Grantive Ltd is your Data Processor — see the section "For club admins". If you're an individual member, you have rights against both your club (the Controller) and us (the Processor) — see "For members".

Who we are

"Fairway" is a software-as-a-service product operated by Grantive Ltd, a company registered in England and Wales. You can reach us at [email protected]. We are the data controller for any personal data we collect about club administrators (your subscription, billing, support correspondence). We are the data processor for any personal data clubs hold about their members — your club is the controller of that data.

What we collect

From club administrators (controller relationship)

Account & billing: club name, contact name, email address, password (stored as a salted bcrypt hash — we never see it), tier/plan choices, and Stripe customer + subscription IDs. Card details are held by Stripe, not us.
Support correspondence: emails you send us and our replies, kept for as long as needed to resolve the issue plus 24 months.
Operational metadata: last sign-in time, IP address (held by Cloudflare and our application logs for 30 days), browser user-agent.

From individual members (processor relationship)

This data belongs to your club — we hold and process it on their instructions. Categories:

Identity: first and last name, email address, optional handicap, optional date of birth and gender, optional avatar photo, membership category (Full, Social, Junior, etc.), member number.
Activity: tee bookings, competition entries and scores, event sign-ups, lesson bookings, range bookings, food & drink orders, pro-shop reservations, notice-board posts, messages exchanged in conversations.
Engagement: last-active timestamps, push-notification token (if you've granted permission), preferences (favourite courses, dietary notes if you've entered any).
Optional payment: if your club has enabled in-app payments, Stripe holds your card; we hold only the Stripe-issued tokens.

From visitors to club websites (we host)

If your club takes our website-builder add-on, the per-club website is hosted by us. Visitor data we may process on the club's behalf:

Contact-form submissions and newsletter sign-ups (forwarded to the club).
Privacy-preserving analytics (no cookies, no cross-site tracking, no IP addresses retained beyond 24 hours).

What we don't collect

We do not collect health data, advertising identifiers, social-graph data, location data outside of an explicit GPS-on-course feature, or contacts. We do not run third-party ads and do not allow ad-network SDKs in our mobile apps. We do not sell personal data to anyone, ever.

Why we collect it (legal basis)

Contract: to provide the service you (or your club) have signed up for.
Legitimate interest: security logging, abuse prevention, product analytics on usage patterns (aggregated, no individual profiling).
Legal obligation: retaining billing records for HMRC for the periods required by UK tax law.
Consent: push notifications, marketing emails (sent only by your club, not by us). You can withdraw consent at any time.

Sub-processors

We use a small number of trusted vendors to operate the service. Each is bound by a written Data Processing Agreement and only processes data on our instructions:

Railway — hosts our application servers and the Postgres database (UK / EEA region).
Stripe — payment processing for subscriptions and concierge / website charges. Stripe is the controller of cardholder data.
Cloudflare — DDoS protection, custom-domain serving for club websites (Cloudflare for SaaS), and asset CDN.
Postmark / Amazon SES — transactional email delivery (welcome emails, booking confirmations, password resets).
Apple & Google — push-notification delivery via APNS / FCM (notification payload only; not personal data).

We will give 30 days' notice (via email to the club admin) before introducing any new sub-processor.

Where your data is stored

Production data lives in the UK / EEA region of Railway's infrastructure. Rolling backups are encrypted at rest and held for 30 days. We do not transfer personal data outside the UK or EEA except where a sub-processor (Stripe, Cloudflare, Apple, Google) is itself an international provider operating under UK GDPR-compliant transfer mechanisms (Standard Contractual Clauses).

How long we keep it

Member data: for as long as the member is active at your club, plus 30 days after their record is deleted (rolling backup window).
Club / admin data: for the lifetime of the subscription, plus 6 years for billing records as required by HMRC.
Operational logs: 30 days for application logs, 90 days for security and audit logs.
Backups: 30 days rolling.

Your rights under UK GDPR

You have the right to:

Access a copy of the personal data we hold about you;
Rectify data that is inaccurate;
Erase your data (subject to legal-hold exceptions);
Restrict processing while a dispute is resolved;
Object to processing carried out under a legitimate-interest basis;
Portability — export your data in a structured, machine-readable format;
Lodge a complaint with the UK Information Commissioner's Office.

For members: exercise these rights against your club first — they are the controller of your data. If you can't reach them, contact us at [email protected] and we will forward the request and follow up.

For club admins: exercise these rights directly with us by emailing the address above. We'll respond within 30 days.

Deleting your account

Members: ask your club's admin to remove you. They can do this from the admin dashboard. If your club has gone inactive, email us with the address you registered under and we will verify and delete.

Club admins: cancel your subscription from the Billing section of your admin dashboard. Your data remains accessible for 30 days, then is deleted from the production database. Backup tapes age out after a further 30 days.

Security

We follow industry-standard practice: TLS 1.2+ for all connections, bcrypt for password storage, short-lived bearer tokens with rotation, rate-limited authentication endpoints, signed Stripe webhook verification, content-security-policy headers, and per-tenant data isolation enforced at every database query.

Children

The Fairway member app is not directed at children under 13, and we do not knowingly collect personal data from children under 13. If your club has junior members under 13, the responsibility for parental consent lies with the club as Data Controller.

Cookies & analytics

Our marketing website (fairwaybygrantive.com) uses only essential cookies — no tracking, no advertising cookies, no third-party analytics. Per-club websites we host use a privacy-preserving, cookie-free analytics layer (no IP addresses kept beyond 24 hours, no cross-site tracking).

Changes to this policy

We'll update this page if our practices change. Material changes will be notified to club admins by email at least 30 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision.

Contact

Questions, requests, or complaints: [email protected]. We aim to respond within 2 working days.

© Grantive Ltd · Registered in England & Wales
Questions about this page? Email [email protected]
Privacy · Terms · fairwaybygrantive.com