RefFlow
Legal

Privacy Policy

Last updated: April 2026

1. Who we are

RefFlow is a referee management platform for football associations, leagues, and referee societies. RefFlow is operated by Cardoso Events, a business registered in Jersey, Channel Islands. Cardoso Events is registered with the Jersey Office of the Information Commissioner (JOIC) under registration number 103572 as a data controller under the Data Protection (Jersey) Law 2018. When we say “RefFlow”, “we”, “us”, or “our”, we mean Cardoso Events trading as RefFlow. Questions about this policy can be sent via our contact page.

2. Data we collect

We collect the following categories of personal data:

  • Account information — name, email address, and password hash when you register.
  • Profile data — referee grade/level, association memberships, availability, and contact preferences you provide.
  • Usage data — server logs needed for security and reliability, plus optional analytics events for public pages only when you consent.
  • Communications — emails and in-app messages sent through the platform.

3. How we use your data

Your data is used to:

  • Create and manage your RefFlow account.
  • Deliver the referee appointment and fixture management service.
  • Send transactional email notifications — appointment confirmations, reminders, and availability requests.
  • Improve platform reliability and diagnose technical issues.
  • Comply with legal obligations and prevent fraudulent or unauthorised access.

We do not sell your personal data. We do not use your data for automated decision-making that produces legal or similarly significant effects.

4. Cookies

RefFlow uses the following storage and cookies:

  • Session cookie — keeps you signed in during your browser session. Expires when you close the browser.
  • Preference cookie — stores your UI preferences (e.g. table sort order). Expires after 12 months.
  • Analytics preference — stores whether you accepted or declined optional public-page analytics in your browser's local storage.
  • Optional analytics storage — if you accept analytics, PostHog may store identifiers so we can measure visits to public marketing pages. We do not load PostHog until you accept, and we do not use it for advertising.

We do not use third-party advertising cookies. You can clear cookies and local storage in your browser settings at any time; clearing session cookies will sign you out of RefFlow.

5. Data sharing

We share your data only with sub-processors necessary to operate the service (hosting, email delivery). All sub-processors are contractually bound to process data solely on our instructions and in accordance with UK GDPR.

We may disclose data where required by law, court order, or to protect the rights and safety of RefFlow and its users.

6. Data retention

Account data is retained for the duration of your account and for up to 24 months after account deletion, unless a longer period is required by law. Anonymised aggregate statistics may be retained indefinitely.

7. Your rights

Under UK GDPR you have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate data.
  • Request deletion of your data (“right to be forgotten”).
  • Object to or restrict certain processing.
  • Data portability — receive your data in a machine-readable format.

To exercise any of these rights, use our contact page with the subject line “Data request”. We will respond within 30 days.

8. Security

We use industry-standard measures including TLS encryption in transit, bcrypt password hashing, and role-based access controls. No method of transmission or storage is 100% secure; we will notify you of any breach that affects your data as required by law.

9. Changes to this policy

We may update this policy from time to time. Material changes will be notified by email or in-app notice. Continued use of RefFlow after the effective date constitutes acceptance of the updated policy.

10. Contact

Cardoso Events — Contact us

Privacy Policy, RefFlow