Privacy Policy

1. Who we are

teevyx ("we", "us") is a software service operated from Belgium. Our registered office is available on request via hello@teevyx.com.

We are the data controller for the personal data described in this policy. For payment-processing data we send to Stripe, Stripe is an independent controller (see section 4).

2. What we collect

Account & profile

• Email address (for sign-in and transactional notifications)
• Display name and (optional) profile photo
• Date of birth (for age verification and to gate sign-up to 13+)
• Optional: nationality, gender, home golf club, handicap index and federation, travel-document country (you control whether you fill these in)
• Authentication credentials (password hashes, passkey identifiers, OAuth tokens)

Activity in the app

• Rounds you record (course, date, format, hole-by-hole scores, optional putts and detailed shot data)
• Friend connections and society / club memberships
• Events you organise or join, including tee times and RSVPs
• Comments, reactions, and other content you post

Device & technical

• Push-notification tokens (Apple APNs, Google FCM, or Expo)
• Crash reports and JavaScript error stack traces (sent to Sentry, with personal identifiers redacted before sending)
• App version, OS version, device class, and timezone — used for support triage and product analytics
• IP address — captured by our hosting infrastructure for security and abuse prevention; never combined with profile data for marketing

Payments (only if you make or receive a payment)

• Card / payment-method data is sent directly to Stripe; we never store your full card number on our infrastructure
• Transaction amount, currency, status, and a Stripe identifier (so you can find the charge in your dashboard or statement)
• For club admins setting up the club's connected account: business name, address, IBAN, VAT / tax-ID — collected by Stripe and shared with us only as needed for platform reporting (e.g., DAC7 in the EU)

We do not collect: precise GPS location, voice recordings, health data, biometric data, or contact-list / address-book data. We do not run any third-party advertising trackers.

3. Why we collect it (legal bases under GDPR)

• Contract performance (Art. 6(1)(b)) — to run the service you signed up for: scoring rounds, building leaderboards, sending tee-time notifications, processing your payments
• Legitimate interests (Art. 6(1)(f)) — to keep the service secure, prevent abuse, debug crashes, and improve product quality. We weigh this against your rights and you can object via the Contact section below.
• Consent (Art. 6(1)(a)) — for optional things like marketing emails (if we ever send any) and any profile field you explicitly choose to fill in. You can withdraw consent at any time.
• Legal obligation (Art. 6(1)(c)) — for tax records, anti-money-laundering checks (handled by Stripe), and platform reporting under EU DAC7.

4. Who we share it with

We use a small set of vendors ("sub-processors") to run the service. Each is bound by a data-processing agreement.

• Supabase (database, authentication, file storage) — EU-hosted in Frankfurt
• Stripe (payments, payouts, KYC, AML) — independent controller for payment data; processes globally
• Sentry (crash and error reporting) — EU region, with identifiers and free-text fields scrubbed client-side before sending
• Apple Push Notification Service and Google Firebase Cloud Messaging — to deliver notifications to your device
• Expo — for push-token management and over-the-air updates of the mobile app
• Resend (via Supabase Auth) — for transactional emails (magic links, account confirmation)
• Vercel — to serve our website and edge endpoints

We do not sell your personal data. We do not share it for third-party advertising. We may disclose it in response to a binding legal request (subpoena, court order); we will tell you unless we're legally barred from doing so.

5. International transfers

Our primary database and authentication systems are hosted in the EU (Frankfurt). Some sub-processors (Stripe, Apple, Google) process data outside the EU/EEA — primarily the United States.

For those transfers we rely on the European Commission's 2021 Standard Contractual Clauses and, where applicable, supplementary measures (encryption in transit, no plaintext PII in error reports).

6. How long we keep it

• Account & profile data: while your account is active. If you delete your account, we anonymise your profile and remove personal identifiers within 30 days.
• Round / scoring history: retained for the integrity of leaderboards and tournament records that involve other players. After account deletion, your scores stay attached to a "Deleted player" placeholder.
• Payment records: retained as required by Belgian / EU tax law (typically 7 years) and beyond for any ongoing dispute.
• Crash reports: 90 days, then automatically purged.
• Backups: rolling 30-day window, then overwritten.

7. Your rights

Under the GDPR (and equivalent laws in other regions — see section 12) you have the right to:

• Access a copy of the data we hold about you
• Rectify data that is inaccurate or incomplete
• Erase your data ("right to be forgotten") — you can do this from inside the app via Settings → Delete my account, or by emailing us
• Restrict or object to certain processing
• Receive your data in a portable machine-readable format
• Withdraw any consent you previously gave
• Lodge a complaint with a supervisory authority. In Belgium that's the Autorité de protection des données / Gegevensbeschermingsautoriteit; for users elsewhere in the EEA, your local DPA.

To exercise any of these, email privacy@teevyx.com. We respond within 30 days.

8. Children

teevyx is intended for users aged 13 and over (16 and over in EU member states that have set the higher GDPR Art. 8 default). We ask for date of birth at sign-up and refuse accounts that do not meet the threshold.

We do not knowingly collect data from children under those ages. If you believe a child has signed up against this policy, email privacy@teevyx.com and we will delete the account.

9. Security

We use TLS for every connection between your device and our servers, encrypt data at rest in our managed databases, and restrict employee access to production data on a strict need-to-know basis. Authentication uses passkeys (WebAuthn) or email magic links by default.

No system is perfectly secure. If you become aware of a security issue, please contact us at privacy@teevyx.com; we do not pursue good-faith security researchers.

10. Changes to this policy

We may update this policy as the product evolves. Material changes are surfaced in the app and at the top of this page; you may be asked to re-accept if the changes affect what we collect or how we use it. The "Last updated" date at the top of this page reflects the current version.

11. Contact

For privacy-specific questions or to exercise any right described above, email privacy@teevyx.com.

For general support, email hello@teevyx.com.

12. Regional notices

United States — California, Virginia, Colorado & others

We do not sell or share your personal information as those terms are defined in the California Consumer Privacy Act (CCPA/CPRA) or comparable state laws (Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, Texas TDPSA). We do not use behavioural advertising. If you are a California resident, you have the right to know, delete, correct, and limit the use of sensitive personal information; the contact path is the same as section 11.

Canada — Quebec Law 25

Our Privacy Officer for Quebec residents is the company founder, contactable via privacy@teevyx.com. We honour the right to data portability described in Quebec Law 25 within 30 days of request.

Brazil — LGPD

If you are in Brazil, your rights under the Lei Geral de Proteção de Dados (LGPD) are the same as those described in section 7. Contact privacy@teevyx.com to exercise them.

United Kingdom

Your rights under the UK GDPR mirror the EU GDPR. The supervisory authority for UK residents is the Information Commissioner's Office (ICO).

Australia, Japan, South Africa

We honour the equivalents of the rights in section 7 under the Australian Privacy Act, Japan's Act on the Protection of Personal Information (APPI), and South Africa's Protection of Personal Information Act (POPIA). Contact privacy@teevyx.com.