Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Jonas Club Software is private club management software used by golf, country, yacht, and city clubs to handle membership, accounting, food and beverage, event management, and member website portals. As a Constellation Software subsidiary based in Canada and the US, Jonas processes sensitive member data including names, emails, payment details, attendance, food preferences, and golf scores. Its JavaScript trackers and first party cookies on club websites enable member engagement analytics and authenticated portal access.
Jonas Club Software is a Constellation Software subsidiary headquartered in Markham, Ontario, with operations in the United States. It supplies an integrated suite for private member clubs covering membership management, accounting and billing, food and beverage point of sale, event and banquet planning, tee time and court booking, and member facing website portals. Most clubs deploy the member portal as the primary digital touchpoint, which means the platform sits at the center of member personal data, financial transactions, and engagement analytics.
Jonas embeds JavaScript modules in club websites and member portals to authenticate members, persist sessions, and track engagement. The platform uses first party cookies on the club domain (such as the session and authentication tokens) and optional third party analytics cookies served from jonasclub.com infrastructure. Tracking typically covers attendance, page visits, booking flows, and purchase behavior so club managers can produce member engagement and retention reports.
Member data is hosted in Constellation Software data centers in Canada (Toronto) and the United States. For EU and UK clubs this means international transfers occur by default. Canada benefits from a European Commission adequacy decision for commercial organizations subject to PIPEDA, while transfers to the US rely on the EU US Data Privacy Framework where Jonas or its US affiliate is self certified, or on Standard Contractual Clauses combined with a transfer impact assessment.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
For core club operations such as managing the membership contract, billing dues, processing food and beverage orders, and operating tee time bookings, the controller (the club) relies on Article 6(1)(b) GDPR (performance of a contract). Marketing communications, member newsletters, and non essential analytics cookies require Article 6(1)(a) consent. Article 6(1)(f) legitimate interests may cover security, fraud prevention, and basic service integrity logging.
Risk is medium. Jonas processes a broad personal data set including identification, contact details, payment card data, attendance, dietary preferences (which can hint at health or religious information), and behavioral patterns. The combination of financial and behavioral data, plus cross border transfers, justifies a documented DPIA, a signed Data Processing Agreement with Jonas, retention limits for inactive members, and a consent management platform for non essential cookies and marketing emails.
Clubs should publish a privacy notice describing Jonas processing, list the cookies set by the portal, document the legal basis matrix, restrict access to member records on a role basis, and provide easy mechanisms to exercise data subject rights including export and erasure when members resign. A consent banner is required to gate analytics cookies and to capture opt in for marketing emails sent through Jonas email modules.
Websites using Jonas Club Software must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended. Jonas Club Software processes large volumes of sensitive member data including names, emails, postal addresses, payment information, attendance records, dining preferences, and golf scores. Data is stored in Canada (Constellation Software, Toronto) and US data centers. Although Canada benefits from a GDPR adequacy decision and US transfers are covered by the Data Privacy Framework, the combination of financial data, behavioral profiling through member analytics, and potential profiling for marketing communications raises the risk profile. Clubs should document the processing in their Article 30 records, sign a Data Processing Agreement with Jonas, configure consent layers for marketing emails and non essential analytics cookies, and verify retention schedules for inactive members.
Sample consent text
This member portal uses essential cookies to keep you signed in and to operate the booking, billing, and event functions of your club (legal basis: contract). With your consent we also use analytics cookies to measure portal usage and send you marketing communications about club events and offers. You can accept, refuse, or customize non essential cookies and unsubscribe from marketing emails at any time.
Third-party domains contacted
jonasclub.comcdn.jonasclub.commembers.jonasclub.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| JONAS_SESSION | technical | session | Maintains the authenticated member portal session and supports core booking, billing, and event functions. Essential cookie under Article 6(1)(b) GDPR. |
| JonasMemberAuth | technical | 30 days | Persists the members signed in state and remembers the device for trusted access. Essential authentication cookie under Article 6(1)(b) GDPR. |
| JonasAnalytics | analytics | 1 year | Measures portal usage, attendance and engagement patterns to produce member analytics reports. Requires prior consent under Article 6(1)(a) GDPR and ePrivacy. |
Jonas Club Software places tracking cookies for advertising — comply with GDPR using FlowConsent.
Jonas sets first party essential cookies on the club domain for session and authentication (JONAS_SESSION and JonasMemberAuth) plus optional third party analytics cookies (JonasAnalytics) served from jonasclub.com. Essential cookies require no consent under ePrivacy and TTDSG, but the analytics cookie requires prior opt in.
Consent is not required for the essential club operations that Jonas powers: contract management, dues billing, bookings, accounting, and authenticated portal access all rely on Article 6(1)(b) GDPR (performance of a contract). Consent is required for non essential analytics cookies and for marketing email modules sent through Jonas.
The club acts as controller and combines three bases: Article 6(1)(b) for the membership contract and operational services, Article 6(1)(a) consent for marketing communications and non essential cookies, and Article 6(1)(f) legitimate interests for security, fraud prevention, and audit logging.
Yes. Constellation Software hosts the platform in Canada (Toronto) and the United States. Canada has a European Commission adequacy decision for commercial organizations under PIPEDA, so transfers to Canadian data centers are straightforward. US transfers rely on the EU US Data Privacy Framework certification or on Standard Contractual Clauses with a transfer impact assessment.
A DPIA is recommended. Jonas processes a broad and sensitive personal data set including financial information (payment cards, dues), behavioral data (attendance, bookings, purchases), and preference data (dietary, golf scores) that can indirectly reveal health or religious information. The risk profile justifies a documented assessment under Article 35 GDPR.
Sign a Data Processing Agreement with Jonas Club Software, document the processing in your Article 30 register, deploy a consent management platform to gate analytics cookies and the marketing email opt in, restrict role based access in the portal, configure retention rules for inactive members, and publish a privacy notice that lists Jonas as a processor and discloses Canada and US transfers.
Common alternatives in the club management space include ClubExpress (cloud platform for member organizations), ForeUP (golf course and club management), and Northstar Technologies (club POS and member management). Each has its own data hosting model and privacy footprint, so a comparable assessment is needed before switching.
Yes. The cookie policy must list each cookie placed by the Jonas portal (essential session and authentication cookies, plus the analytics cookie), describe its purpose, retention, and whether it is first or third party. The policy should also explain that essential cookies have no opt out and how members can withdraw consent for analytics.