1. Purpose of this policy
This Data Retention and Deletion Policy describes:
- How long different categories of data are retained on the GolfAuth platform
- What happens to data when a user deletes their account
- How equipment records are anonymised and retained under GolfAuth Pty Ltd custodianship
- The technical mechanics of deletion, including grace periods and backup retention
- How users can exercise their rights regarding their data
This policy is referenced from our Privacy Policy and forms part of our overall data governance framework.
2. Data categories and retention periods
GolfAuth retains different categories of data for different periods. The table below summarises retention rules.
2.1 User identity and account data
| Data category | Retention period | Notes |
|---|---|---|
| Account credentials (email, password hash) | Active account + 30 days deletion grace period | Permanently deleted after grace period |
| Profile information (name, photo, contact details, location) | Active account + 30 days deletion grace period | Permanently deleted after grace period |
| Authentication tokens, push notification tokens | Active account + 30 days deletion grace period | Permanently deleted after grace period |
| Marketing preferences and consent records | 7 years (regulatory requirement under Spam Act 2003) | Anonymised after account deletion; consent record retained |
2.2 Communications and content
| Data category | Retention period | Notes |
|---|---|---|
| AI Caddie chat history | Active account + 30 days deletion grace period | Permanently deleted after grace period |
| Customer support correspondence | 24 months from last interaction | Deleted after retention period |
| Contact form submissions | 24 months | Deleted after retention period |
| Founding Fitters Program applications | 24 months from submission | Deleted after retention period unless applicant becomes a customer |
| User-uploaded photographs and notes | Active account + 30 days deletion grace period | Photos and personal notes deleted; equipment metadata anonymised and retained |
2.3 Receipt data
| Data category | Retention period | Notes |
|---|---|---|
| Email body content from forwarded receipts | 30 days from successful processing | Then purged from email_inbound_log.body_text |
| Uploaded receipt images | 90 days from successful processing | Then purged from storage |
| Receipt extraction structured data (retailer, products, prices) | Indefinitely as anonymised records after user deletion | See Section 3 on anonymisation |
| Email metadata (sender, recipient, message ID, timestamps) | 30 days from receipt | Then purged or anonymised |
| Receipt processing logs | 90 days | For debugging and quality assurance |
2.4 Equipment and ownership data
| Data category | Retention period | Notes |
|---|---|---|
| Digital twin records (brand, model, specs, serial) | Indefinitely (anonymised after user deletion) | Retained for network integrity and provenance |
| Ownership history and transfer records | Indefinitely (anonymised after user deletion) | Retained for fraud detection and resale verification |
| Equipment valuations and market data | Indefinitely | Aggregated, no personal data |
| Fitting session records (configurations, outcomes) | Active account + 30 days deletion grace period | Personal context deleted; configuration data anonymised and retained |
2.5 Payment and transaction data
| Data category | Retention period | Notes |
|---|---|---|
| Stripe customer metadata held by GolfAuth | Active account + 30 days deletion grace period | Then purged from GolfAuth records |
| Subscription invoices and receipts | 7 years (Australian tax law) | Personal identifiers anonymised after grace period; financial figures and dates retained |
| Transaction fee records | 7 years (Australian tax law) | As above |
| Stripe Connect transaction records (held by Stripe directly) | Per Stripe’s retention policy | Stripe is the data controller |
| Refund and chargeback records | 7 years | As above |
2.6 Security and system data
| Data category | Retention period | Notes |
|---|---|---|
| System access logs | 90 days | Standard operational logs |
| Security event logs (authentication failures, suspicious activity) | 12 months | For security investigation and response |
| Fraud signals and review queue records | Indefinitely (with anonymisation) | Pattern data without personal identifiers retained for fraud detection improvement |
| Audit logs of admin access to user data | 24 months | For accountability and compliance |
2.7 Aggregated and anonymised data
| Data category | Retention period | Notes |
|---|---|---|
| Platform analytics (active users, feature usage, etc.) | Indefinitely | Aggregated, no individual identification |
| Equipment market intelligence | Indefinitely | Aggregated, no personal data |
| Trust score patterns and signal frequencies | Indefinitely | For platform improvement |
| Fraud detection training data | Indefinitely | Anonymised, used to improve detection |
3. The anonymisation model
A central feature of GolfAuth’s data retention is the anonymisation of equipment and ownership records when a user deletes their account. This section describes the model in detail.
3.1 Why anonymisation rather than deletion of equipment records
When a user deletes their account, we delete their personal information. However, the equipment they registered through GolfAuth has independent value to the platform’s network:
- Ownership chains support secondary market authentication. If a user buys equipment second-hand, the previous ownership history (even when previous owners have deleted their accounts) supports verifying the equipment’s provenance.
- Fraud detection benefits from network-wide data. Patterns of legitimate registrations and known equipment serials help detect fraudulent registrations across all users.
- Equipment market intelligence is aggregated. Anonymised pricing and ownership data contribute to the market intelligence that powers valuations and authentication.
Deleting all this data along with personal information would significantly degrade the platform’s core value to remaining and future users without proportionate benefit to the deleting user (whose personal information is already being removed).
3.2 GolfAuth Pty Ltd as custodian
When a user account is deleted, anonymised ownership and equipment records are transferred to GolfAuth Pty Ltd as custodian. This means:
- The records continue to exist within the platform database
- The records are no longer linked to any identifiable user
- GolfAuth Pty Ltd is recorded as the legal custodian of the records on behalf of the equipment ecosystem
- The records are treated as non-personal data under applicable privacy frameworks (GDPR, APP, CCPA, PDPA)
3.3 What the anonymisation process does technically
When a user deletion completes (after the 30-day grace period), the following technical actions occur:
For digital twin records (equipment_digital_twins table):
user_idis set to a designated GolfAuth Pty Ltd custodian identifier- Personal notes attached to the equipment are deleted
- Personal photographs of the user with equipment are deleted; photos of equipment alone are anonymised (no metadata referencing the user) and retained
- Records retain: brand, model, variant, category, specifications (loft, lie, flex, shaft, grip, hand, length), year, condition, serial number, purchase date, purchase price, purchase retailer, trust score, authentication status
For receipt extraction records (receipt_extractions table):
- Personal context (shipping address if extracted, customer name if extracted) is purged
- Email body text in linked
email_inbound_logrecords is already purged at the 30-day post-processing window - Records retain: retailer name, retailer location (general), purchase date, line items, prices, currency
For ownership transfer records (ownership_transfers table):
- Both sender and recipient user IDs are anonymised (replaced with anonymous owner identifiers if not already anonymous)
- Transfer dates and equipment references retained
For fitting session records (fitting_sessions and related tables):
- Customer personal information removed
- Configuration data, equipment details, and fitter notes retained anonymously
For all anonymisation:
- The mapping between original
user_idand the anonymised records is permanently destroyed - Audit logs of the deletion event are themselves sanitised to remove the original user_id
- No re-identification mechanism is retained
3.4 Anonymous owner identifiers
Where ownership history needs to show “this equipment was previously owned by someone,” anonymised previous owners are represented using anonymous owner identifiers in the format anon_owner_xxxxxxxx where the suffix is a random non-sequential identifier.
These identifiers:
- Are not linkable to original users through any database join
- Are not predictable or reversible
- Are unique per equipment record (the same deleted user may appear as different anonymous identifiers on different equipment they previously owned)
- Cannot be matched across equipment to reconstruct a user’s full history
3.5 What we cannot reverse
After anonymisation is complete:
- We have no way to identify who owned specific equipment before deletion
- We have no way to restore the original user’s account or data
- Law enforcement requests for “who owned serial X in year Y” before deletion cannot be fulfilled
- The user themselves cannot recover their data even by creating a new account
This irreversibility is fundamental to GDPR-compliant anonymisation and to the trust users place in our deletion process.
4. The self-service deletion mechanism
Users can delete their accounts directly through the platform.
4.1 How to initiate deletion
In your account settings, navigate to “Privacy and Data” → “Delete my account.”
You will be shown:
- A summary of what will be deleted (your personal information)
- A summary of what will be anonymised and retained (your equipment records)
- A reminder of the 30-day grace period
- The number of digital twins, transfers, and other records that will be affected
- A confirmation step requiring you to type “DELETE” to confirm
4.2 The 30-day grace period
Upon confirming deletion, your account enters a “pending deletion” state. During this 30-day period:
- Your account is suspended from most functions
- You can sign back in to view what will be deleted
- You can cancel the deletion at any time
- You receive a confirmation email at initiation
- You receive a reminder email 7 days before the deletion completes
- So platform features are paused (you cannot make new purchases, transfer equipment, or use AI Caddie)
To cancel a pending deletion, sign in and select “Cancel deletion” from your account settings. Your account returns to full functionality immediately.
4.3 Completion of deletion
At the end of the 30-day grace period:
- Automated deletion runs (typically completes within 24 hours of the grace period ending)
- Personal data is deleted from production database
- Equipment records are anonymised and transferred to GolfAuth Pty Ltd custodianship
- You receive a final confirmation email
After completion:
- Your email address is freed and can be used to create a new account if you wish (but no previous data will be associated)
- Any partial subscription period is forfeit (no refund except as required by applicable law)
- Outstanding subscription fees that were due at the time of deletion remain payable
4.4 Backup retention disclosure
For approximately 7 days after the deletion completes, anonymised pre-deletion data persists in our Supabase Point-in-Time Recovery (PITR) backups. This is technical operational backup, not retained for access.
- Backups age out automatically; we do not extract data from them except in emergency recovery scenarios
- Where backups are used for emergency recovery (extremely rare, only following catastrophic data loss), any restored data from deleted accounts would be re-deleted immediately as part of the recovery process
- Backup data is encrypted at rest and protected by the same access controls as production data
4.5 Special cases
Active fitter customers when fitting professional deletes account. If you are a customer of a fitting professional and that professional deletes their account, you will receive notification before deletion completes. Your equipment records that the professional helped you build remain in your account; the professional’s records about you are removed from the professional’s view.
Active disputes or transfers. If you have an active equipment transfer in progress or a payment dispute, deletion may be delayed until these are resolved (or you can explicitly cancel them as part of the deletion process). The deletion screen will inform you of any blockers.
Founding Fitters Program members. Founding Fitters Program enrolment ends if you delete your account. Locked-in pricing benefits cease.
5. Right to delete for non-account holders
People who are not registered users but who have nonetheless had their personal data collected by GolfAuth can request deletion:
5.1 Categories of non-account holder data
- Contact form submissions
- Founding Fitters Program applications from non-customers
- Mailing list subscriptions (if applicable in future)
- Records of correspondence not associated with a registered account
5.2 How to request deletion
Email privacy@golfauth.com with:
- Your full name
- The email address you used to contact us
- A brief description of when and why you contacted us
- A statement requesting deletion of your records
We will verify your identity (typically by responding to the email address you used) and complete deletion within 30 days. We will confirm completion by email.
5.3 Exceptions
We may retain some non-account-holder data where:
- Required by law (e.g., records of customer disputes)
- Necessary to enforce our Terms of Service
- Necessary to resolve disputes between users
- Held by sub-processors under their own retention policies
Where we retain data despite a deletion request, we will explain the legal basis.
6. Right to data portability
Users have the right to receive a copy of their personal data in a structured, commonly used, machine-readable format.
6.1 What’s included in a data export
- Account information (name, email, registration date, subscription status)
- Equipment records (all digital twins, with full specifications and history)
- Receipt records (extracted data and metadata; receipt images are included if still within their 90-day retention)
- AI Caddie chat history (if account is active)
- Communications history (your correspondence with GolfAuth)
- For fitting professionals: customer database, fitting sessions, quotes, supplier records
6.2 How to request export
Through your account settings: “Privacy and Data” → “Export my data.”
We provide exports in:
- CSV (one file per data category)
- JSON (single comprehensive file)
- ZIP archive containing both formats
The export is available for download for 14 days after generation, then the export file is purged.
6.3 Response time
Exports are typically available within 24 hours of request. For complex accounts (many equipment records or extensive fitting history), generation may take up to 7 days.
7. Data deletion logs and accountability
To demonstrate our compliance with deletion requests:
- Each deletion event is logged at the time of completion
- The log records the user_id (or anonymous request reference for non-account holders), the date of request, the date of completion, and e categories of data deleted
- The log does NOT record the personal information that was deleted (this would defeat the purpose of deletion)
- Logs are retained for 24 months for compliance purposes
These logs allow us to confirm that deletion has occurred if a user later questions whether their request was fulfilled, without retaining the deleted data itself.
8. Special data categories
Certain types of data have specific retention rules due to their nature.
8.1 Children’s data
Where we become aware that a user is under 18 (the minimum age for GolfAuth), we close the account and delete associated information within 7 days. We do not retain any data from confirmed minor accounts beyond what is necessary to confirm and document the closure.
8.2 Sensitive personal information
GolfAuth generally does not collect sensitive personal information as defined under various privacy frameworks (e.g., GDPR Article 9 special categories, CPRA sensitive personal information, APP sensitive information categories). Where sensitive information is collected incidentally (e.g., health-related context in a customer support email), we minimise retention and apply stricter access controls.
8.3 Fitter customer data
Fitting professionals using GolfAuth Pro store customer information on the platform as part of their business operations. The relationship is:
- GolfAuth is a data processor for this customer data
- The fitting professional is the data controller
- Retention is governed by the professional’s own data retention policy (subject to GolfAuth’s overall platform retention rules)
When a fitting professional cancels their GolfAuth Pro subscription:
- Customer records are exportable for 90 days
- After 90 days, customer records are anonymised under the standard model
9. Compliance with retention obligations
Some retention periods are extended where required by law:
9.1 Tax records
Under Australian tax law (Income Tax Assessment Act, A New Tax System (Goods and Services Tax) Act), business records must be retained for 5 years (and in some cases 7 years). We retain transaction records meeting this requirement.
These records are anonymised to remove personal identifiers after the deletion grace period, but the financial figures, transaction dates, and counterparty references (in pseudonymised form) are retained for the legally required period.
9.2 Anti-fraud records
Where we have detected or are investigating fraud, related records may be retained beyond standard periods. This includes:
- Records of fraudulent receipts or fabricated equipment registrations
- Records of compromised accounts or account takeovers
- Records of harmful or abusive use of the platform
Retention is for the duration of investigation, plus 24 months for ongoing detection of repeat patterns, or longer where required by law or for legal proceedings.
9.3 Legal hold
Where data is subject to a legal hold (e.g., due to litigation, regulatory investigation, or government request), retention is extended for the duration of the hold. Affected users will be notified where legally permitted.
10. Cross-border data transfer for retention
Our data is stored primarily in Singapore (Supabase ap-southeast-1). Backups and operational copies may be transferred to other regions for the limited purposes described in the Privacy Policy.
Retention periods apply uniformly regardless of geographic location of storage. Deletion mechanisms operate across all storage locations.
11. Changes to this policy
We may update this Data Retention and Deletion Policy from time to time. When we make material changes:
- We update the “Last revised” date at the top
- We notify registered users by email
- We provide a summary of changes in the notification
- Updated policy is available at golfauth.com/privacy/data-retention
Continued use of the Services after changes become effective constitutes acceptance.
12. Contact
For questions about data retention or to exercise rights described in this policy:
Email: privacy@golfauth.com
Postal: GolfAuth Pty Ltd, [postal address to be added]
Appendix: Items requiring legal review
The following clauses or concepts should be specifically reviewed by qualified Australian counsel before publication:
- Section 3 — The anonymisation model and GolfAuth Pty Ltd custodianship. This is the most novel concept and requires careful legal review. Particularly:
- Whether the model satisfies GDPR Article 4(5) requirements for anonymisation
- Whether the custodianship framing is robust under Australian and EU law
- Whether the technical description matches what the implementation will do
- Whether the irreversibility claim can be supported
- Section 2.4 — Indefinite retention of equipment data after anonymisation. Confirm this is defensible under APP, GDPR, and CCPA given the disclosure approach.
- Section 2.5 — Tax record retention with anonymisation. Confirm the model of “anonymise personal identifiers while retaining financial figures” satisfies both privacy law and tax record-keeping requirements (5-7 year ATO requirements).
- Section 4.4 — Backup retention disclosure. Confirm the 7-day PITR retention period and the framing is acceptable under “right to deletion without undue delay” requirements.
- Section 5.3 — Exceptions to non-account-holder deletion requests. Confirm exceptions are appropriately scoped under applicable law.
- Section 8.3 — Fitter customer data and the controller/processor model. Confirm the allocation of responsibility between GolfAuth and fitting professionals is clear and legally robust.
- Section 9 — Compliance with retention obligations. Confirm references to Australian tax law and similar requirements are current and accurate.
- All retention periods. Each row in the retention tables should be reviewed for legal sufficiency and operational feasibility.
- Section 6 — Data portability. Confirm scope and timeline align with GDPR Article 20 and equivalent requirements.
- Section 7 — Deletion logs. Confirm the framing of “logs about deletion that don’t contain deleted data” is acceptable.
End of working draft.
This document was prepared by the GolfAuth team for legal review. It does not constitute legal advice and is not effective until reviewed, finalised, and dated by qualified counsel.

