Privacy Policy

golfpool.club (“we”, “us”) lets you run private fantasy-golf salary-cap pools with live scoring and optional reminders. This policy explains what we collect, why, and the control you have over it. We keep data collection to the minimum needed to run your pools — we don’t sell your data and we don’t use third-party advertising trackers.

What we collect

• Account info — your email address and a password, which is stored only as a salted PBKDF2 hash (we never store or can read your actual password). If you sign in with Google, we receive your Google email and basic profile, not your Google password.
• Pool content you create — pool names and settings, the golfer field and prices, and the team picks, display names, and optional emails that you and your entrants submit.
• Reminder subscriptions — if you opt in, the email address and the events you chose, so we can send those reminders (and a one-tap unsubscribe link in every one).
• Payment — if you pay the one-time charge to activate a pool, the payment is processed by Stripe. We never receive or store your card number; we keep only a record that a pool was paid (the Stripe identifiers and amount).
• Technical data — your IP address and basic request data, used transiently for security, abuse prevention (rate-limiting, anti-bot challenges), and to make the service work.

How we use it

• To run your pools — store your setup, score teams against live results, and show your leaderboard.
• To send only the reminder emails or push notifications you opt into.
• To process the one-time charge that activates a pool.
• To keep the service secure and prevent abuse.

We do not sell or rent your personal data, and we don’t serve third-party behavioral ads. Free pools show a single static in-house promo for golfpool.club itself — no ad network, no tracking pixel.

Who we share it with (processors)

We use a small set of vendors purely to operate the service. They process data on our behalf:

• Cloudflare — hosting, the database, security, and the anti-bot “Turnstile” challenge.
• Stripe — payment processing for pool activation (governed by Stripe’s own privacy policy).
• Resend — delivery of the emails you’ve opted into.
• Google — only if you choose “Sign in with Google.”
• ESPN — we read public tournament scores from ESPN; we send them nothing about you.

What’s visible inside a pool

A pool is private to the people you share its link with. Anyone with that link can see the pool’s leaderboard, which shows entrant display names and their team picks (picks stay hidden until the lineup lock, then become visible as part of the standings). Entrant email addresses are never shown publicly — only the pool’s commissioner can see them. Please don’t put sensitive information in a display name or pool name.

Cookies & local storage

We use one essential, http-only session cookie to keep you signed in, and a small browser “local storage” marker to remember that you’re logged in. Turnstile, Stripe, and Google may set their own cookies when you use those features. We do not use third-party advertising or cross-site tracking cookies.

Your choices & rights

• Delete your account at any time (profile menu → Danger zone → Delete account). This permanently erases your account and all pools you own, and anonymizes the teams and dues entries you submitted in other people’s pools. Any messages you posted to a pool’s public message board may be retained as part of that pool’s history but are no longer linked to your account.
• Unsubscribe from any reminder email using the link in that email — instantly, no sign-in needed.
• Access or correct your data, or ask a question about it, by contacting us (below).
• Depending on where you live (e.g. the EU/UK or California), you may have additional rights to access, delete, or port your data; contact us and we’ll honor applicable requests.

Data retention

We keep your data while your account and pools are active. When you delete your account, your data is removed promptly from the live database; routine encrypted backups age out on a rolling basis. We retain a minimal record of completed payments where required for tax/accounting.

Security

Passwords are salted and hashed (PBKDF2); traffic is encrypted in transit (HTTPS); sessions use http-only, secure cookies; and sensitive actions are server-authorized. No system is perfectly secure, but we work to protect your data and minimize what we hold.

Children

The service isn’t directed to children. You must be old enough to form a binding contract in your jurisdiction (and at least 18) to create an account or make a purchase.

Changes

We’ll update this policy as the service evolves and revise the “Effective” date above. Material changes will be reflected here; continued use means you accept the updated policy.

Contact

Questions or requests about your data: [email protected].