1. About this policy
This Privacy Policy describes how GolfAuth Pty Ltd (ABN 55 686 258 408, hereafter “GolfAuth”, “we”, “us”) collects, uses, holds, discloses, and protects personal information when you use the GolfAuth platform, services, applications, and websites (the “Services”).
We are an Australian company headquartered in Queensland, Australia. We provide an intelligent equipment platform for golfers and a complete business platform for fitting professionals. Our Services are available globally, with Australia as our primary operating market and active expansion into the United Kingdom, European Union, and United States.
This policy applies to:
- Visitors to our websites (golfauth.com and associated domains)
- Registered users (golfers, fitting professionals, and their customers)
- People who contact us through forms, email, or other channels
- Applicants to our Founding Fitters Program
This policy is designed to comply with:
- Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APP)
- General Data Protection Regulation (EU) 2016/679 (GDPR)
- UK General Data Protection Regulation and Data Protection Act 2018
- California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
- Singapore Personal Data Protection Act (PDPA)
Where requirements differ across jurisdictions, we apply the most protective standard.
2. What information we collect
2.1 Information you provide directly
Account information. When you register, we collect your name, email address, password (stored as a cryptographic hash, never in plain text), date of birth (for age verification where required), and your account type (golfer, fitting professional, or fitter customer).
Profile information. You may choose to provide additional information including a profile photo, location (city/state), golf-specific information (handicap, home club, playing preferences), and contact preferences.
Equipment information. When you register golf equipment, we collect equipment details (brand, model, specifications, serial number where present), purchase information (date, retailer, price, currency), photographs of equipment, and your assessment of condition.
Receipt information. When you forward purchase emails to your personal GolfAuth address or upload receipt images, we collect the full content of those receipts, including retailer details, line items, prices, dates, order numbers, payment methods (where visible), shipping addresses (where present), and any other content within the receipt.
Payment information. For paid subscriptions, billing is processed by the payment system applicable to where you subscribed. For web and PWA subscriptions, Stripe processes payment — we collect billing information through Stripe and do not directly store full credit card numbers (these are tokenised and stored by Stripe under their security framework). For iOS App Store subscriptions, Apple processes payment and we receive only subscription status information (active, expired, cancelled) — we do not see card details. For Android Play Store subscriptions, Google processes payment and we receive only subscription status information.
For Stripe Connect transactions between golfers and fitting professionals (payments for fitting sessions and equipment), payment information flows directly to the fitter’s Stripe account. GolfAuth does not store the golfer’s card details for these transactions.
Communication content. When you contact us, complete forms, or use our AI Caddie chat feature, we collect the content of those communications including chat history.
2.2 Information from professionals’ customers
If you are a customer of a fitting professional using GolfAuth Pro, the professional may enter information about you including name, contact details, golf swing and equipment preferences, fitting session notes, and quote/order information. The fitting professional is the primary data controller for this information; GolfAuth processes it on their behalf as a service provider.
For payment processing through Stripe Connect, your payment information flows directly from you to the professional’s Stripe account. GolfAuth facilitates the connection but does not act as the data controller for these payment transactions. Stripe is the data controller for payment processing.
2.3 Information collected automatically
Technical information. We collect IP addresses, device identifiers, browser type and version, operating system, time zone, language preferences, and similar technical data.
Usage information. We collect information about how you interact with our Services including pages visited, features used, time spent, clicks, search queries, and similar engagement metrics.
Cookies and similar technologies. We use cookies and similar technologies as described in our Cookie Policy [link to be added]. You can manage cookie preferences through your browser settings.
Location information. Where you enable location services or use features that require location (e.g., finding nearby fitting professionals, course recommendations), we collect approximate location data. We do not track precise location continuously.
2.4 Information from third parties
Receipt enrichment. When you forward a receipt, we extract structured data from the receipt content using artificial intelligence (provided by Anthropic). The extracted data is treated as part of the receipt information.
Equipment valuations. We use third-party market data sources including eBay’s sold listings API to compute estimated values for your equipment. This processing uses anonymised product identifiers and does not transmit your personal information to these sources.
Authentication services. Where you sign in using Google, Apple, or other authentication providers, we receive limited profile information from those providers as you authorise.
2.5 Recipient information for equipment transfers
When another GolfAuth user initiates an equipment transfer to you, the sending user provides us with your contact information (typically an email address or mobile phone number) before you have a GolfAuth account or have accepted our terms. This is the only circumstance in which we collect personal information about someone who is not yet a user.
We use recipient contact information solely to:
- Notify you of the pending transfer
- Provide instructions for accepting or declining the transfer
- Verify your identity if you choose to accept
We do not use recipient contact information for any other purpose. We do not use it for marketing. We do not share it with the sending user beyond confirming whether the transfer was accepted or declined.
If you do not accept the transfer within 30 days, we permanently delete your contact information unless you have separately created a GolfAuth account during that period. If you decline the transfer, we delete your contact information within 7 days.
If you are a recipient and wish to have your contact information deleted before the 30-day expiry, you can decline the transfer or contact privacy@golfauth.com.
2.6 Phone numbers and SMS
Where you provide a phone number (for account security, transfer notifications, or marketing), we collect and store it. If you opt in to receive SMS communications, we additionally record:
- Your consent (the act of opting in)
- The date and time of consent
- The categories of SMS you have consented to receive (e.g., account security only, or also marketing)
- Your IP address at the time of consent (for compliance verification)
You can withdraw SMS consent at any time by:
- Replying STOP to any SMS message you receive from us
- Adjusting SMS preferences in your account settings
- Emailing privacy@golfauth.com
SMS withdrawal does not affect other communications you have consented to receive (such as transactional email).
Standard message and data rates from your mobile carrier may apply. Message frequency varies based on the categories you have opted in to.
For SMS sent to Australian numbers, we comply with the Australian Spam Act 2003. For SMS sent to other jurisdictions, we comply with equivalent local frameworks (including TCPA and CAN-SPAM where applicable to US numbers). Where we cannot comply with the requirements of a jurisdiction, we will not send SMS to numbers in that jurisdiction.
3. How we use your information
We use your information to:
Provide the Services. This includes operating your account, processing equipment registrations, running our AI Caddie and valuation features, processing receipts, generating reports, and facilitating equipment transfers.
Process payments. For your subscriptions to GolfAuth, and to enable Stripe Connect transactions between fitting professionals and their customers.
Communicate with you. Including transactional emails (account confirmations, receipts, transfer notifications), service updates, security alerts, and (where you have opted in) marketing communications.
Improve our Services. Including analytics, debugging, performance monitoring, and developing new features. Where we use your data to train or improve AI features, we use only anonymised or aggregate data.
Detect and prevent fraud. Including identifying counterfeit equipment patterns, suspicious account activity, and potentially fraudulent receipts or transfers.
Comply with legal obligations. Including responding to lawful requests from authorities, meeting tax and accounting requirements, and exercising or defending legal claims.
Network and ecosystem integrity. As more users join GolfAuth, the verification network becomes more capable of detecting counterfeit patterns and supporting equipment provenance. We may use aggregated, anonymised data from across the network for this purpose, in ways that cannot be linked back to individual users.
We do not sell your personal information. We do not share your personal information with third parties for their own marketing purposes.
4. The digital twin and equipment records
When you register a club, we create a “digital twin” — a structured record containing the equipment’s specifications, photographs, history, valuation, and verification status. This record is associated with your account.
Digital twins are database records, not blockchain assets. Despite the terminology, we do not use blockchain or NFT technology for digital twins. The records live in our standard relational database.
When you transfer an equipment item to another GolfAuth user, the digital twin is associated with that user’s account. The new owner sees the equipment’s verification history. The previous owner retains access to a historical record showing they previously owned the equipment, but loses the ability to view its current status or attach new information to it.
If you delete your account, your digital twins are either:
- Anonymised (the equipment record persists in the system but is no longer linked to you), or
- Transferred to a new owner if a transfer is in progress
You can request that specific digital twins be deleted entirely (not anonymised) by contacting privacy@golfauth.com, subject to verification requirements.
5. How we share your information
5.1 Sub-processors
We use trusted third-party service providers (sub-processors) to operate the Services. Each sub-processor has agreed to data protection terms appropriate for the data they handle.
Current sub-processors include:
- Supabase Inc. (United States) — database hosting, authentication
- Stripe Inc. (United States, Australia) — payment processing
- Apple Inc. (United States) — App Store subscription billing (for iOS Golfer Premium subscriptions only)
- Google LLC (United States) — Google Play subscription billing (for Android Golfer Premium subscriptions only)
- Anthropic PBC (United States) — AI processing for receipts and Caddie features
- Resend (United States) — transactional email delivery
- Postmark / ActiveCampaign (United States) — transactional and marketing email
- Twilio Inc. (United States) — SMS delivery (where SMS is enabled)
- Sentry (United States) — error monitoring and observability
- DataDog (United States) — application performance monitoring
- Netlify Inc. (United States) — website and application hosting
A current list of sub-processors is maintained at golfauth.com/sub-processors. We may add or change sub-processors with reasonable notice.
5.2 Sharing between users
GolfAuth is a network platform. Some sharing is inherent to the Services:
Between golfers and their fitting professionals. If you are a golfer and you have engaged a fitting professional through GolfAuth, you and that professional can see information relevant to the fitting relationship.
During equipment transfers. When you initiate or accept a transfer, the other party can see the equipment’s verification history and your name (the name you used on your account).
Find a Pro listings. Fitting professionals who choose to be discoverable through the Find a Pro feature have their business profile (business name, location, contact information they choose to publish, specialties) visible to golfers searching for fitting services.
Verified status indicators. When equipment is offered for sale or transfer, its verified status (and the source of verification) is visible to potential recipients.
5.3 Legal disclosures
We may disclose your information when required by law, including:
- Responding to subpoenas, court orders, or other lawful requests
- Cooperating with law enforcement investigations
- Protecting our rights or property
- Preventing fraud or harm to users
- Meeting regulatory or compliance obligations
We notify users of such disclosures where legally permitted to do so.
5.4 Business transfers
If GolfAuth is acquired or merged with another company, your information may be transferred to the successor entity. We will provide notice and choice where required by law.
5.5 With your consent
We may share your information with other parties where you provide explicit consent.
6. International data transfers
GolfAuth is headquartered in Australia, and we use sub-processors based primarily in the United States. Your information may be transferred to, stored, and processed in:
- Australia (primary operations)
- United States (most sub-processors)
- European Union (some sub-processors with regional infrastructure)
- Singapore (selected backup and operations infrastructure)
Where personal information is transferred from the European Union, United Kingdom, or other jurisdictions with cross-border restrictions, we rely on appropriate transfer mechanisms including:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- UK International Data Transfer Agreement (IDTA)
- Adequacy decisions where they exist
- Other lawful transfer mechanisms
You can contact privacy@golfauth.com for information about specific transfer mechanisms applicable to your data.
7. How we protect your information
We implement appropriate technical and organisational measures to protect your information, including:
- Encryption of data in transit (TLS) and at rest
- Cryptographic hashing of passwords
- Database-level access controls (row-level security)
- Two-factor authentication available for accounts
- Regular security reviews and penetration testing
- Incident response procedures
- Access controls limiting staff access to user data
- Audit logging of administrative actions
We retain professional security tooling including dependency vulnerability scanning, code security analysis, and runtime monitoring.
No system is perfectly secure. We will notify you of security incidents affecting your data in accordance with applicable law, including under APP 11 (Notifiable Data Breaches scheme), GDPR Article 34, and equivalent frameworks.
8. Your rights
8.1 Universal rights (available to all users)
You have the right to:
- Access your information (we provide a self-service data export from your account, or you can request a copy by email)
- Correct inaccurate information (most fields are self-service editable in your account)
- Delete your account and information (described in Section 9)
- Object to certain uses of your information
- Withdraw consent for processing based on consent (e.g., marketing communications)
- Lodge a complaint with a privacy regulator
8.2 Additional rights for EU/UK users (GDPR/UK DPA)
If you are in the European Union or United Kingdom, you additionally have the right to:
- Restriction of processing
- Data portability (receive your data in a machine-readable format)
- Object to automated decision-making
You may lodge complaints with your local Data Protection Authority. In the UK, this is the Information Commissioner’s Office (ICO).
8.3 Additional rights for California users (CCPA/CPRA)
If you are a California resident, you have the right to:
- Know what categories of personal information we have collected
- Know whether we sell or share your personal information (we do not)
- Request deletion (subject to certain exceptions)
- Correct inaccurate information
- Limit use of sensitive personal information
- Non-discrimination for exercising your rights
We do not “sell” or “share” personal information as defined under the CCPA/CPRA.
8.4 How to exercise your rights
You can exercise most rights directly through your account settings (data export, correction, deletion).
For rights that require manual processing, contact privacy@golfauth.com. We respond to all rights requests within 30 days (or sooner where required by applicable law). For complex requests we may extend this period by up to 60 additional days and will notify you of any extension.
9. Self-service account deletion
9.1 What happens when you initiate deletion
When you initiate account deletion, your account enters a “pending deletion” state for 30 days. During this period:
- Your account is deactivated (you cannot sign in)
- You can restore the account by contacting privacy@golfauth.com
- Your data is not yet anonymised or deleted
After the 30-day period:
- We anonymise or delete your data according to Section 9.2 and 9.3
- Deletion is final and irreversible after this point
9.2 What is deleted
Within 30 days of completing the deletion period, we delete:
- Your email address, name, phone number, and other directly identifying information
- Your profile photo
- Your password hash
- Your authentication credentials (OAuth connections, etc.)
- Your AI Caddie chat history
- Active subscription information (after billing reconciliation)
- Stored payment method tokens
- Your forwarded receipts and their full content (after legal retention period if any)
9.3 What is retained as anonymised records
We retain the following as anonymised records that cannot be linked back to you:
- Equipment records (digital twins) may persist in the system as anonymised records, transferred to subsequent owners, or deleted at your specific request
- Aggregate transaction data (for accounting and tax purposes)
- Network-level statistics (e.g., how many clubs of a particular model are in the system)
- Anonymised AI training data, where you previously consented or where the data has been fully de-identified
Anonymised data is not personal information under applicable law and is not subject to deletion requests.
9.4 What is retained under legal obligation
We retain certain information as required by law, including:
- Tax records (typically 7 years under Australian law)
- Records subject to legal hold (litigation, regulatory investigations)
- Anti-money-laundering records where applicable
- Records of consent (for compliance verification)
These records are kept in restricted-access archives, not active databases.
9.5 Backup retention
Our backups are retained for 30 days. Deleted data may persist in backups for this period after deletion. Backups are not used for active retrieval; if a backup is restored due to a system failure, we will re-apply deletion requests to the restored state.
9.6 Deletion of data held by professionals
If you are a customer of a fitting professional, your data may exist in two places:
- GolfAuth’s systems (controlled by GolfAuth, deleted per this policy)
- The professional’s account (controlled by the professional, deleted per their own retention policies)
We will delete data we control, but we cannot compel a fitting professional to delete records they hold for their own business purposes (subject to their own legal obligations).
9.7 Reversibility and finality
Account deletion is permanent after the 30-day grace period. You cannot recover a deleted account or its data after this point. If you wish to use GolfAuth again, you would need to create a new account.
10. Data retention
We retain personal information only as long as necessary for the purposes for which it was collected.
| Data type | Retention period |
|---|---|
| Active account data | While account is active |
| Pending deletion data | 30 days after deletion initiation |
| Backups | 30 days |
| Tax and financial records | 7 years (Australian law) |
| Audit logs | 2 years |
| Customer service records | 3 years |
| Subscription billing records | 7 years (Australian law) |
| Marketing consent records | While consent is valid + 2 years after withdrawal |
| Transferred recipient contact information | 30 days if transfer not accepted; 7 days if declined |
| Anti-fraud records | 7 years (or longer for active investigations) |
Where retention periods differ across jurisdictions, we apply the longer period to comply with the most demanding requirement.
11. Children and minors
GolfAuth is not directed to children under 18 years of age. We do not knowingly collect personal information from children under 18.
If you are a parent or guardian and believe your child has provided personal information to us, please contact privacy@golfauth.com. We will delete the information promptly upon verification.
12. Cookies and tracking
We use cookies and similar technologies for:
- Essential operations (authentication, session management, security)
- Analytics (understanding how the Services are used)
- Performance monitoring (error detection, page load metrics)
- Marketing (only where you have opted in)
You can manage cookies through your browser settings. Disabling essential cookies will prevent core Service functionality.
We do not use cookies for cross-site tracking. We do not participate in advertising networks that build profiles of users across the web.
Our Cookie Policy provides specific details on each cookie we use and how to opt out where applicable.
13. Marketing communications
We send marketing communications only where you have opted in (or where opt-out is permitted under applicable law for existing customers receiving information about similar services).
You can opt out of marketing communications at any time by:
- Clicking “unsubscribe” in any marketing email
- Adjusting communication preferences in your account
- Replying STOP to marketing SMS
- Emailing privacy@golfauth.com
Opting out of marketing does not affect transactional communications (account confirmations, security alerts, billing notifications).
14. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be notified by:
- Email to your registered address (at least 30 days before changes take effect)
- A notice within the Services
- An update to the “Effective Date” at the top of this policy
If you do not agree to changes, you can delete your account before the changes take effect.
15. How to contact us
For privacy questions, rights requests, or complaints, contact us by email at privacy@golfauth.com. We aim to respond within 30 days (or sooner where required by applicable law).
GolfAuth Pty Ltd (ABN 55 686 258 408) is an Australian company based in Queensland, Australia. Our company registration details are publicly available on the Australian Business Register at abr.business.gov.au.
For regulatory complaints:
- Australia: Office of the Australian Information Commissioner (oaic.gov.au)
- EU/UK: Your local Data Protection Authority
- California: California Privacy Protection Agency (cppa.ca.gov)
This Privacy Policy is provided as plain language for accessibility. Where this policy and our Terms of Service differ on data handling, the more protective interpretation applies. This policy is not a contract; the Terms of Service govern your relationship with GolfAuth.

