Privacy Policy

1. Information We Collect

1.1 Information you provide directly

• Account information: email address, password, email one-time passcode activity, Supabase user ID, and Sign in with Apple identity token information. We do not see or store your plaintext password.
• Profile information: first name, last name, home base label, home base search query, and profile/rating sharing preferences.
• Course and round information: courses you rate, played date, optional score, category ratings, overall rating, public/private rating flag, and the course/ranking records needed to build your Tee Box and rankings.
• Head-to-head ranking choices: the courses presented in a ranking session, your selected winner or "too close" choice, undo activity, and resulting personal course ranking data.
• Support and feedback: messages you send us by email, in-app support flows, TestFlight feedback, or similar channels.

1.2 Information collected automatically

• Session and request data: authentication session state, access tokens, request metadata, IP address, timestamps, and similar operational logs created by Supabase or our hosting infrastructure.
• Device and app context: basic device, operating system, app version, and network information that may be sent by the app, the operating system, or our service providers as part of normal service operation.
• Location data: if you grant iOS when-in-use location permission, Golfist requests your current location while the app is open to sort nearby courses. The app may send latitude and longitude to Supabase search functions for nearby course results and may show a reverse-geocoded city or region label. Golfist does not request background location access.
• Product analytics and replay data: event names, timestamps, app screens or flows used, buttons or actions taken, masked session replay data, app/device context, feature flag or experiment assignments, diagnostics, crash/error information, and pseudonymous identifiers. When you are signed in, analytics may be associated with your Golfist account or Supabase user ID so we can understand activation, debug issues, and improve the product.
• Website data: if you visit golfist.golf, our hosting provider may process standard web logs such as IP address, browser, device, referring page, and pages requested.

1.3 Information from third parties

• Apple: if you use Sign in with Apple, Apple provides authentication information needed to sign you into Golfist through Supabase Auth.
• Supabase: Supabase provides authentication, database, and API infrastructure for Golfist and processes account, profile, rating, ranking, and request data on our behalf.
• PostHog: PostHog provides product analytics, session replay, error tracking, diagnostics, feature flag, and experimentation tools that help us understand how Golfist is used and where the app needs improvement.
• App distribution platforms: Apple may provide aggregate app distribution, TestFlight, crash, or install information through its developer tools.

2. How We Use Your Information

We use the information we collect to:

• Create and manage your account.
• Authenticate you by email/password, email one-time passcode, or Sign in with Apple.
• Save your profile settings, home base, sharing preferences, ratings, rounds, Tee Box, and rankings.
• Use foreground location or home base to show nearby courses and regional discovery results.
• Calculate personal rankings, global course rankings, and head-to-head comparison state.
• Analyze product usage, activation, feature adoption, crashes, bugs, and experiments through PostHog.
• Respond to support, feedback, deletion, privacy, legal, and security requests.
• Detect and prevent fraud, abuse, and security incidents.
• Comply with legal obligations.

3. How We Share Your Information

3.1 With other users

Golfist is built around rankings. Public rating data may contribute to course pages, Tee Box views, and rankings. The app includes profile and ratings sharing settings; where those settings are implemented in a product surface, we use them to control what other users can see. Aggregated course scores may still use rating data without displaying your account details.

3.2 With service providers

We share information with service providers who help us operate Golfist, including Supabase for authentication, database, and API hosting; PostHog for product analytics, diagnostics, feature flags, and experiments; Apple for Sign in with Apple, TestFlight, App Store, and device-level services; website hosting providers; and email/support tools. These providers process information for us or under their own terms, depending on the service.

3.3 For legal reasons

We may disclose your information if required by law, legal process, or government request, or to protect the rights, property, or safety of Golfist, our users, or the public.

3.4 Business transfers

If Golfist is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email or in-app notice before your information is transferred and becomes subject to a different privacy policy.

3.5 We do not sell your data

We do not sell your personal information. We also do not share personal information for cross-context behavioral advertising as those terms are commonly used in U.S. state privacy laws.

4. Data Retention

We retain account, profile, rating, round, ranking, and analytics data while your account is active or as needed to provide and improve Golfist. You can delete your account in the app. The current app calls our `delete_current_user` backend flow, which is designed to delete your user account and associated app data. We may retain limited records when required for security, legal compliance, dispute resolution, backups, analytics retention windows, or abuse prevention. Aggregated or de-identified course, ranking, and product analytics statistics may be retained after account deletion.

5. Your Rights and Choices

• Access and correction: you can view and update profile fields in the app. Email changes may require a verified Supabase Auth flow.
• Delete your account: you can use the in-app delete option or contact us at support@golfist.golf.
• Location permissions: you can revoke location access at any time in your device settings.
• Sharing settings: you can set profile and ratings preferences in the app. These settings control supported Golfist product surfaces, but they do not remove data already used in aggregated or de-identified course statistics.
• Analytics choices: if Golfist offers an in-app analytics opt-out, you can use it there. You can also contact support@golfist.golf with privacy requests related to analytics data associated with your account.
• California and other U.S. privacy rights: depending on where you live and whether a law applies to us, you may have rights to know, access, correct, delete, or receive a copy of certain personal information. You may also have the right to opt out of sale or sharing. We do not sell personal information.
• EEA/UK rights: if applicable, you may have rights to access, rectify, erase, restrict, object to processing of, or port your personal data, and to lodge a complaint with a supervisory authority.

6. Children's Privacy

Golfist is not directed to children under 13. We do not knowingly collect personal information from children under 13. If we learn that we collected personal information from a child under 13, we will delete it promptly. Users between 13 and 18 should use Golfist only with permission from a parent or guardian. If you believe a child has provided us information without proper permission, contact us at support@golfist.golf.

7. Security

We use reasonable technical and organizational measures to protect your information, including Supabase security controls, row-level security policies, authenticated API calls, and encrypted network connections. No system is perfectly secure. You are responsible for keeping your login credentials confidential and for using a strong, unique password.

8. Product Analytics

We use PostHog to understand activation, course search, rating, Tee Box, profile, and ranking flows; diagnose product issues; measure whether features are useful; record masked sessions; capture crashes and handled errors; and run feature flags or experiments. PostHog may process event names, timestamps, app and device context, screen or flow names, selected product actions, masked session replay data, pseudonymous identifiers, account-linked identifiers, diagnostics, crash/error information, and experiment assignments.

We do not use PostHog to sell personal information or to track you across unrelated apps and websites. Session replay is configured with masking and privacy controls appropriate for Golfist. We keep this policy and our App Store privacy disclosures aligned with the actual data collected.

9. Third-Party Services

Golfist may link to or rely on third-party services, including Apple, Supabase, PostHog, email providers, website hosting providers, and TestFlight. Their handling of information is governed by their own terms and privacy policies when they act independently from us.

10. Changes to This Policy

We may update this Privacy Policy as Golfist changes, especially when we change analytics, experiments, new profile fields, uploads, paid features, or new sharing surfaces. We will post the updated policy at golfist.golf/privacy and update the "Last updated" date.

11. Contact Us