Privacy Policy

1. Who we are

CaddyStax ("we," "us," "our") is a hobbyist golf-group management application operated from the United States. You can reach us at founder@caddystax.com.

2. What we collect

We collect only what is necessary to operate the app:

• Account information — your email address, display name, and a hashed password.
• Group / round data — the rounds, scores, payouts, and ledger entries you and your group members create.
• Handicap and game preferences — values you enter or that your group admin enters on your behalf.
• Operational logs — IP address, request paths, and user-agent strings, kept short-term for security and debugging.
• Email delivery records — bounce / unsubscribe state for tee-time notifications you opt into.

We do not collect payment card information directly; if billing is ever enabled, payments are processed by Stripe under their privacy policy.

3. How we use your data

• To provide the app's features (scoring, leaderboards, ledger, tee-times).
• To send transactional email you have opted into (password reset, group invites, tee-time digests).
• To detect abuse and keep the service running (rate limits, audit logs).
• To respond to your requests and support questions.

We do not sell your data. We do not use your data to train third-party AI models. The optional in-app AI features call OpenAI's API; only the prompt content needed for the requested feature is sent, and results are cached.

4. Sharing

We share data only with the service providers needed to run the app:

• Render — application hosting and database (United States).
• Cloudflare — DNS and edge protection.
• OpenAI — only when you use AI-powered features.
• SMTP provider — transactional email delivery.
• Stripe — payment processing (only if billing is enabled for your group; not active during the current beta).

We do not share your data with advertisers, data brokers, or analytics providers beyond the operational logs above.

5. Retention

Account and group data are retained for as long as your account is active. When you delete your account, we soft-delete the user record so historical rounds and ledger entries you created remain consistent for the rest of your group; we will fully purge on request (see §7). Operational logs are retained for up to 30 days. Database backups are retained for up to 7 days.

6. Security

We protect data with TLS in transit, at-rest encryption for the database, bcrypt password hashing, JWT-based session revocation on logout, role-based access controls, an append-only audit log, and per-tenant data isolation. We follow the OWASP ASVS Level 1 baseline (self-assessed) and run the OWASP ZAP baseline scan on a recurring cadence. No system is perfectly secure; if you discover a vulnerability, please email us immediately.

7. Your rights

You may, at any time:

• Access and edit your profile data inside the app.
• Request a copy of your data or full deletion by emailing founder@caddystax.com. We respond within 30 days.
• Opt out of any non-essential email category from the in-app notification settings.

CaddyStax is currently a US-only service and is not directed to users in the EEA, UK, or California for the purposes of GDPR or CCPA controllership obligations. We nonetheless honor reasonable access and deletion requests regardless of where you live.

8. Children

CaddyStax is not directed to children under 13. We do not knowingly collect data from children under 13. If you believe a child has created an account, contact us and we will delete it.

9. Changes

We may update this policy as the app evolves. The effective date at the top will change when we do. Material changes will be announced in-app or by email.

10. Contact

Questions or requests: founder@caddystax.com.