Privacy Policy

Clubhouse HQ is operated by Leighton Moore ("we", "us", "our"), a sole trader based in the United Kingdom. Clubhouse HQ is software for running amateur golf societies. For any privacy questions you can reach us via the Contact page.

For personal data you provide directly to Clubhouse HQ (your account details, the data you enter about your society and members), Leighton Moore is the data controller. Our payment provider, Paddle, acts as an independent controller and Merchant of Record for purchases — see "Payments" below.

• Contract (Art. 6(1)(b) UK GDPR): creating your account, providing the service, processing your subscription.
• Legitimate interests (Art. 6(1)(f)): keeping the service secure, preventing fraud, improving the product, responding to support requests.
• Legal obligation (Art. 6(1)(c)): tax, accounting, and responding to lawful requests.
• Consent (Art. 6(1)(a)): optional analytics cookies and any marketing emails.

We do not sell your personal data.

Our order process is conducted by our online reseller Paddle.com. Paddle is the Merchant of Record for all our orders and is an independent controller of the data you submit at checkout (billing name, email, address, payment details, tax info). Paddle handles payments, billing, tax compliance, invoicing, refunds and related customer enquiries. We receive a limited record of the transaction (e.g. plan, status, last 4 digits, country) to provision your subscription. See Paddle's privacy notice at paddle.com/legal/privacy.

Where personal data is transferred outside the UK/EEA, we rely on appropriate safeguards such as the UK International Data Transfer Addendum and EU Standard Contractual Clauses, or transfers to countries covered by an adequacy decision.

We keep account and society data for as long as your account is active. If you delete your account, we delete or anonymise personal data within 90 days, except where we must retain records for legal reasons (typically up to 7 years for billing and tax records held by us or Paddle). Backups are rotated and overwritten on a rolling 30-day cycle.

We use industry-standard technical and organisational measures, including TLS encryption in transit, encryption at rest, hashed passwords, role-based access control, audit logging, and least-privilege access for staff. No system is perfectly secure, but we work hard to protect your data and will notify you of any qualifying breach as required by law.

Under UK GDPR you have the right to access, rectify, erase, restrict or object to the processing of your personal data, and to data portability and to withdraw consent. You can exercise most rights from your Settings page, or by contacting us. You also have the right to lodge a complaint with the UK Information Commissioner's Office (ico.org.uk).

We use essential cookies to keep you signed in. We may use optional analytics cookies only where you have consented via our cookie banner; you can change your choice at any time.

We may update this policy. Material changes will be communicated via email or in-app notice.