Privacy Policy

1. Information we collect

Depending on how you use the Service, we may collect or process:

• Account and profile data. When you register or sign in, we collect identifiers such as your email address, an authentication secret you provide (stored using one-way hashing; we do not store your raw password in readable form), and optional profile details you choose to add (such as display name or profile image).
• Fantasy game data. We store league settings you create, invite codes, lineup selections, scoring results derived from tournament data, and related gameplay records needed to run leagues and leaderboards.
• Billing data (if you subscribe). If you purchase a paid subscription, payment information is processed by our payment processor (currently Stripe). We typically receive limited billing metadata such as subscription status, price identifiers, and customer IDs needed to link your account to that processor — not your full card number.
• Referrals and promotions. If you use creator codes, referral links, or similar programs, we store attribution and reward status tied to your account as described in-product.
• Technical and security data. Like most online services, our servers and infrastructure may process network and device data when you use the Service, which can include IP addresses, approximate location derived from IP, request timestamps, user-agent strings, diagnostic logs, and anti-abuse signals. If you enable distributed rate limiting, identifiers required for those checks may be sent to our Redis provider (for example Upstash) as part of protecting the Service.
• Cookies and similar technologies. We use cookies and similar technologies that are essential to operate the Service. In particular, we use session cookies (via our authentication setup) so you can stay signed in. If we add analytics or marketing tags later, we will update this policy and, where required, your consent flows.
• Analytics events (product instrumentation). The codebase includes hooks to record product events (for example signup, billing, or league actions). Today, those events may only be logged in development environments unless you wire a third-party analytics vendor. If you connect a vendor, that vendor's privacy notice will also apply.

2. How we use information

We use the information above to:

• Provide, maintain, and improve the Service (including scoring, sync, and customer support).
• Create and secure your account, authenticate sessions, and protect against fraud and abuse.
• Process subscriptions, invoices, credits, referrals, and related billing support.
• Comply with law, respond to lawful requests, and enforce our Terms.
• Communicate with you about the Service (for example, critical service notices or responses you initiate).
• Analyze usage in aggregate or pseudonymous form to understand performance and prioritize improvements.

3. Legal bases (EEA, UK, and similar regions)

If applicable privacy law requires a "legal basis," we rely on: performing our contract with you (providing the Service); our legitimate interests in securing and improving the Service (balanced against your rights); compliance with legal obligations; and consent where required (for example, non-essential cookies or marketing, if offered).

4. How we share information

We do not sell your personal information in the conventional sense of selling lists to data brokers. We share information only as needed in the following situations:

• Service providers. We use vendors that process data on our behalf to host the application, store databases, send email (if enabled), process payments (Stripe), provide caching or rate limiting (such as Upstash Redis), and similar infrastructure functions. We seek to limit their access to what they need to perform those services.
• Legal and safety. We may disclose information if we believe it is reasonably necessary to comply with law, regulation, legal process, or governmental request; to protect the rights, property, or safety of us, our users, or the public; or to detect or prevent fraud or security issues.
• Business transfers. If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, information may be transferred as part of that transaction, subject to standard confidentiality arrangements.

5. Data retention

We keep information only as long as needed for the purposes above, unless a longer period is required or permitted by law. Account data is generally retained while your account is active and for a reasonable period afterward to resolve disputes, enforce agreements, and meet legal requirements. You may request deletion as described below, subject to exceptions (for example, retained billing records).

6. Security

We use reasonable administrative, technical, and organizational measures designed to protect personal information. No method of transmission or storage is 100% secure; we cannot guarantee absolute security.

7. Your choices and rights

Depending on your location, you may have rights to access, correct, delete, or export certain personal information, or to object to or restrict certain processing. You may also have the right to lodge a complaint with a supervisory authority.

To make a request, contact us using the information below. We may need to verify your identity before fulfilling requests. If you are a Colorado, Virginia, Connecticut, Utah, or other U.S. state resident with newly enacted privacy rights, you may have additional rights (including appeal processes) — describe any vendor-specific opt-outs here after you finalize tooling.

8. California notice

If the California Consumer Privacy Act (CCPA/CPRA) applies, we collect the categories of personal information described in Section 1. We use them for the business purposes in Section 2. California residents may have the right to request access, deletion, and correction, and to limit certain uses of sensitive personal information, subject to exceptions. We do not "sell" or "share" personal information as those terms are defined under CPRA based on the practices described here; update this section if that changes (for example, if you enable certain ad analytics).

9. International users

If you access the Service from outside the United States, your information may be processed in the United States or other countries where we or our vendors operate. Those countries may have different data protection rules than your home country. Where required, we use appropriate safeguards (such as standard contractual clauses).

10. Children

The Service is not directed to children under 13 (or the minimum age required in your jurisdiction). We do not knowingly collect personal information from children. If you believe we have collected information from a child, contact us and we will take appropriate steps to delete it.

11. Third-party services and data sources

The Service may display tournament, golfer, or broadcast information sourced from third parties. That display does not imply affiliation. Those third parties' sites and services are governed by their own privacy policies.

12. Changes to this policy

We may update this Privacy Policy from time to time. We will update the "Last updated" date above and may provide additional notice for material changes where appropriate. Your continued use of the Service after the effective date constitutes acceptance of the updated policy, except where applicable law requires explicit consent.

13. Contact us

For privacy questions or requests, contact us through the feedback or support options on our home page (and add a published privacy contact before broad production use).