01 · Data we collect
The full list of personal data Your Tour stores about you:
- Account identity — your email address (required for sign-in), display name, and an optional avatar image (stored in Supabase Storage and referenced by URL on the
profilesrow). - Profile metadata— onboarding flags indicating which guided tours you’ve completed or skipped, and (after a deletion is scheduled) a deletion timestamp.
- League data— your league memberships, role within each league (commish or member), and the leagues you’ve created.
- Player records— when you add a real-life golfer to a league’s pool (their name, salary, optional handicap), and when a commish links a player record to your account.
- Tournaments & rounds — tournaments you participate in, your fantasy lineups (entries and entry_players), groupings, and tee selections.
- Scoring — scorecards and hole-by-hole scores you log, including any timestamps and per-hole notes.
- Reactions — emoji reactions you place on holes, scorecards, or tournaments.
- Highlight reels & shares — generated highlight-reel records, voice-preset preferences, render counts, and public share tokens you create.
- Email reminder log— which transactional reminder emails we’ve sent you, kept for de-duplication so we don’t spam you.
- Push tokens — if you install the iOS companion app and grant push permission, the Expo push token for your device.
- Subscription state — Stripe customer ID, entitlement status, and subscription period for paid plans.
- Diagnostic data — error reports captured by Sentry (stack traces, user ID, anonymized request context) and standard server logs (IP address, user agent, request path) collected by our hosting provider.
All user-facing tables are protected by Postgres row-level security; queries are scoped to leagues you’re a member of.
02 · How we use it
We use your data to:
- operate the Service for you and the other members of your private leagues;
- send transactional email (sign-in links, reminder emails, deletion confirmations);
- generate AI-narrated highlight reels using the scoring data and any free-text commentary you submit;
- process payments through Stripe and manage your subscription;
- investigate bugs, improve performance, and prevent abuse (Sentry, server logs);
- comply with legal obligations.
We do not sell your personal data. We do not use your data to train competing fantasy-sports products or to profile you for advertising.
03 · How long we keep it
We keep your account data for as long as your account exists. When you delete your account, we follow a 30-day cooling-off window (see Section 06), then permanently delete the underlying records and replace your name in any shared content (e.g., a scorecard in a tournament other members are still in) with a “[deleted user]” placeholder. Server logs and Sentry events are retained per the providers’ default retention windows (typically 30–90 days). Stripe retains payment records for the period required by financial-regulations law.
04 · Third parties
We share data with the following processors as needed to operate the Service. Each one is contractually bound to use the data only for the services they provide to us.
| PROVIDER | PURPOSE |
|---|---|
| Supabase | Database, auth, file storage (avatars), backend. |
| Vercel | Web hosting, serverless functions, edge cache. |
| Stripe | Subscription billing and payment processing. |
| Resend | Transactional email (magic links, reminders, deletion confirmations). |
| ElevenLabs | Text-to-speech narration for highlight reels. |
| Google Gemini / OpenAI | Large-language-model generation of highlight-reel storyboards from your scoring data. |
| AWS (Remotion Lambda) | Renders the highlight-reel video. The MP4 is then stored back in Supabase Storage. |
| Sentry | Error reporting and performance monitoring. |
| Cloudflare | DNS and email routing for our domain. |
| GolfCourseAPI | Course / tee data lookup. Server-side only — your account data is never sent. |
| Meta (Facebook Pixel) | Ad attribution and aggregate funnel analytics. Loaded only on the marketing site and dashboard, never on auth screens. |
Some of these providers (Stripe, AWS) operate in the United States and may process data internationally. By using the Service you consent to that processing.
06 · Your rights
You have the following rights with respect to your personal data:
- Access & correction — view and edit your profile fields at /app/account. For league-specific data, ask the league commish (the source-of-truth for tournament records).
- Deletion — start the deletion flow at /app/account/delete. We schedule deletion on a 30-day cooling-off window; sign in any time during the window to cancel. After the window elapses we permanently remove your account record and replace your name in shared content with “[deleted user].”
- Export— we don’t yet have a self-serve export. Email [email protected] and we’ll generate one for you.
- Object / restrict— email us if you believe we’re processing your data in a way that’s not covered by this policy.
07 · Age requirement
Your Tour is intended for adults aged 18 or older, matching our Terms of Service. We do not knowingly collect data from anyone under 18. If you believe a minor has created an account, contact us and we’ll remove it.
08 · Security
We protect data in transit with TLS, store it in encrypted-at-rest Postgres, row-level-security all user-facing tables, and treat third-party API keys as server-only secrets that never reach the browser. No system is perfectly secure; if we ever discover a breach affecting your data, we will notify you without undue delay.
09 · Changes to this policy
When we update this policy materially we’ll change the effective date at the top of the page and notify active accounts via email or an in-app banner before the change takes effect.
10 · Contact
For privacy questions, deletion requests we can’t handle via the self-serve flow, or to file a data-subject request, email [email protected].
For everything else (bug reports, feature requests, support), use the contact form.