Who’s on the Tee?

Privacy Policy

Last updated: 8 May 2026
Draft notice: Who’s on the Tee? is in early access. This policy is a plain-English summary of how we handle your data today. We may refine the wording before general launch. We’ll tell anyone with an account about material changes.

This policy explains what data Who’s on the Tee? collects, why, and who we share it with. It also covers your rights under UK GDPR and the Data Protection Act 2018.

Service:the “Who’s on the Tee?” web application at whosonthetee.app(the “Service”).
Contact: hello@whosonthetee.app

1. What we collect

Information you give us

  • Account details: email address and password. We hash passwords and never see them in plain text. Optionally a display name.
  • Early-access signups: the email address you submit on the landing page.
  • Society and trip data: trip names, dates, courses, formats, constraints, and other information you enter to plan a trip.
  • Player data: player names, optional handicap indices, gender, optional email addresses, and any tags you add. Only enter a player’s email address if that player has agreed to receive tee-sheet emails from you.
  • Society member directory:when you add a player to a trip, we keep a society-level record of that player (name, optional contact details, current handicap, preferred tee, gender, and any private organiser notes). The directory is visible to organisers and admins of that society only. Other members of the society with the “viewer” role do not see it, and members of other societies never see it.
  • Cross-society identity: if the same person plays in more than one society on the platform, we maintain a single global identity record so that person can be linked across societies (with their consent) and so a Right Of Access request returns their full footprint. We link records by email address (when available) or by an explicit confirmation flow. We never auto-link by name alone.
  • Scoring data: hole-by-hole scores you or your players enter via tokenised scoring links during a round.
  • Support correspondence: the contents of emails you send to hello@whosonthetee.app.

Information we collect automatically

  • Authentication cookies that Supabase Auth sets so you stay signed in. We don’t use them for tracking.
  • Server logs: standard request logs (IP address, user agent, timestamp, requested path). We keep them for security and debugging, for up to 30 days, unless we flag a record for incident review.
  • Email delivery events: when we send tee-sheet or invite emails, our email provider (Resend) records delivery, bounce, and open events against the recipient address.

We do not use third-party advertising trackers or behavioural analytics. We do not sell your data.

2. Why we use it (legal basis)

  • Contract: to provide the scheduler, scoring, sharing, and email features you sign up for.
  • Legitimate interests:to keep the service secure, prevent abuse, debug failures, improve the product, and maintain a society-level member directory so organisers don’t re-enter the same player on every trip. We balance this against your privacy and avoid intrusive processing.
  • Consent: for marketing emails (e.g. early-access waitlist notifications), and for cross-society linking via the email-confirmation flow. You can opt out at any time.
  • Legal obligation: where UK law requires us to retain or disclose information.

Cross-society linking

When an organiser of one society wants to add you to a different society they also organise, we ask for your confirmation by email (a tokenised link valid for 14 days). If you confirm, we link the two records so your trip history joins up across both societies. If you decline, or the link expires, the new society’s record stays separate from your original one.

If we don’t hold an email address for you, the organiser can attest that you’ve agreed to be added (offline). The organiser’s name and the timestamp are logged. Organisers using this attestation are responsible under our Terms for confirming that you’ve actually agreed.

Manual member merge (within and across societies)

Organisers can merge two member records that they confirm represent the same person. The action is irreversible and rewrites past trip history under the surviving record. Organiser notes from the deleted record are discarded unless the organiser explicitly chooses to keep them.

3. Who we share it with

We share data only with the sub-processors we need to run the service. Each one meets GDPR standards and signs a data-processing agreement with us.

  • Supabase - database, authentication, file storage. Hosted in the EU (Ireland).
  • Vercel - application hosting and edge delivery.
  • Resend - transactional and tee-sheet email delivery.
  • Google - only if you sign in with Google OAuth, in which case Google verifies your identity and shares your email address with us.

We share your data outside this list only if you ask us to, or if a court orders us to. If we change a processor, we’ll update the list above.

Within the platform, society directory data is visible only to organisers and admins of that specific society. Cross-society linkage is only created with your confirmation (or with a logged organiser attestation if no email is on file). We never expose one society’s data to another society without that linkage.

4. Where it’s stored

We store primary data in the EU. Some sub-processors (Vercel, Resend) operate globally and may transfer data to the US under standard contractual clauses (SCCs) and the EU-US Data Privacy Framework. We do not replicate your data outside the EEA or UK.

5. How long we keep it

  • Account data: until you delete your account. After deletion, we remove data from the production database within 30 days. Backups expire within 90 days.
  • Trip and scoring data: we keep it as long as the parent account is active. After that, the account-deletion timeline above applies.
  • Early-access signup emails: we keep them until launch. We either convert them to an account when you accept the invite, or delete them when you ask.
  • Email logs: 12 months. We use them for bounce handling and debugging delivery issues.
  • Server logs: 30 days, unless we flag a record for incident review.

6. Your rights

Under UK GDPR you have the right to access, rectify, erase, restrict, or transfer your data, and to object to processing. To exercise any of these rights, email hello@whosonthetee.app from the address on your account.

We respond within one calendar month. If you’re unhappy with our response, you can complain to the UK Information Commissioner’s Office at ico.org.uk/make-a-complaint.

7. Children

The service is for adults organising golf trips. We do not knowingly collect data from children under 13. If you think a child has signed up, email us and we’ll remove the account.

8. Cookies

We use only essential cookies. There are two: the Supabase Auth session cookie that keeps you signed in, and a theme preference cookie for dark or light mode. We do not use advertising or analytics cookies. We don’t show a consent banner because we don’t set any non-essential cookies.

9. Changes to this policy

If we make material changes, we’ll update the date at the top of this page and notify account holders by email at least 14 days before the change takes effect. The current version is always at this URL.

10. Contact

Questions about this policy or how we handle your data: hello@whosonthetee.app.