Privacy Policy

Effective Date: March 2, 2026 · Last Updated: March 2, 2026

            Summary: GolfStax collects only the data necessary to operate a golf tournament management platform. We do not sell your data, we do not show ads, and we take reasonable measures to protect your information. This policy explains exactly what we collect, why, and how you can control it.
        

Who We Are What We Collect How We Use It Sharing Google Data Children's Privacy Cookies Security Your Rights Retention Contact

1. Who We Are

GolfStax is a golf tournament management platform owned and operated by CnR Assets, LLC ("Operator," "Company," "we," "us," "our"). GolfStax is designed for use by high school golf programs, their coaches, student-athletes, parents/guardians, and spectators.

Our Platform is accessible at golfstax.com and related subdomains.

2. Information We Collect

2.1 Information You Provide Directly

Data Category	Specific Data	Who Provides It	Purpose
Account Information	Full name, email address, password (hashed)	All account types	Authentication, account management, communications
School Affiliation	School name, school ID, coaching role	Coaches, players, parents	Linking users to schools, tournament eligibility
Player Information	First name, last name, grade, graduation year, team designation, handicap, gender	Coaches (roster import), players (self-entry)	Tournament registration, team formation, scoring, UIL compliance
Tournament Data	Scores (hole-by-hole), round totals, pairings, check-in status, tournament configurations	Players, coaches, monitors, directors	Live scoring, leaderboards, results, audit trail
Parent/Guardian Info	Display name, email, linked player relationships	Parents/guardians	Score notifications, player access, tournament following
Communication Data	Support tickets, help requests, announcements	All users	Customer support, in-tournament communication

2.2 Information Collected Automatically

Data Category	Specific Data	Purpose
Usage Data	Pages visited, features used, timestamp of actions	Platform improvement, debugging
Device Information	Browser type, operating system, screen size	Ensuring compatibility, responsive design
IP Address	Internet Protocol address	Security (rate limiting, abuse prevention), error logging
Error Logs	JavaScript errors, API errors, stack traces	Bug fixing, platform stability

2.3 Information from Third Parties

Source	Data	Purpose
Google Sign-In	Google account email, display name, profile picture URL, Google user ID	Account authentication, profile display
School Directories	School names, locations, mascots, colors, logos	School identification, branding in tournament views

3. How We Use Your Information

We use the information we collect for the following purposes:

Provide the Service: Operating tournaments, real-time scoring, leaderboards, team standings, pairings, and results
Account Management: Authentication, authorization, role-based access control, password resets
Communication: Sending activation codes, verification emails, password reset links, tournament invitations, score notifications, and system announcements
Score Integrity: Maintaining audit trails, detecting conflicts, monitoring scoring anomalies
Platform Improvement: Analyzing usage patterns, fixing errors, improving user experience
Security: Detecting and preventing unauthorized access, fraud, abuse, and policy violations
Legal Compliance: Meeting applicable legal requirements, responding to lawful requests

4.1 We Do NOT:

Sell your personal information to any third party
Display advertising or share data with ad networks
Trade or barter your data for services
Share your data with data brokers or marketing companies

4.2 We MAY Share Your Information With:

Recipient	What Data	Why
Tournament Participants	Player name, school, scores, standings	Public spectator leaderboard, team standings — this is the core purpose of the platform
School Coaches & Directors	Player data for their school/tournament	Roster management, score verification, tournament administration
Parents/Guardians	Their linked player's scores and tournament data	Parental oversight of student-athlete activity
Email Service Provider	Email address, name	Sending transactional emails (activation, reset, notifications)
Hosting Provider	All data (stored on servers)	Platform hosting and operation
Law Enforcement	As required	Only in response to valid legal process (subpoena, court order, etc.)

5. Google API Services & User Data

Google API Services User Data Policy Compliance:

GolfStax's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

When you sign in with Google, we receive and store:

Email address — Used as your account identifier and for communications
Display name — Used to personalize your experience
Profile image URL — Displayed on your user profile
Google user ID — Used to link your Google account to your GolfStax account

We access this data only when you explicitly click the "Sign in with Google" button. We do not:

Access your Google contacts, calendar, drive, or any other Google services
Store your Google access token beyond the immediate authentication session
Use your Google data for advertising or profiling
Transfer your Google data to third parties except as required to operate the Platform

You can revoke GolfStax's access to your Google account at any time through your Google Account Permissions page.

6. Children's Privacy (COPPA & FERPA Compliance)

6.1 Children Under 13

GolfStax is not directed to children under 13 years of age. We do not knowingly collect personal information from children under 13 without verified parental consent. If you believe a child under 13 has provided personal information to GolfStax, please contact us immediately, and we will take steps to delete the information.

6.2 Student-Athletes (Ages 13–17)

Player accounts for minors are created in connection with school-sponsored athletic programs. The following safeguards apply:

Player accounts are initially created by coaches or through school-authorized roster imports
Account activation requires a unique activation code issued by the school
Personal information collected is limited to what is necessary for tournament participation (name, grade, school, scores)
Player data is visible only to authorized school personnel, tournament staff, and through public leaderboards
Parents/guardians may access, review, and request deletion of their child's data at any time

6.3 FERPA Considerations

GolfStax may receive student information ("education records") from schools. To the extent this data qualifies as education records under FERPA (Family Educational Rights and Privacy Act), GolfStax acts as a "school official" with a "legitimate educational interest" as determined by the school. We commit to:

Using education records only for the purposes for which they were shared
Not re-disclosing education records to third parties except as permitted by FERPA
Maintaining reasonable security measures to protect education records

7. Cookies & Local Storage

GolfStax uses the following browser storage technologies:

Technology	What We Store	Purpose	Duration
localStorage	Authentication token (JWT), theme preference, session state, offline score queue	Keeping you logged in, remembering preferences, offline functionality	Until logout or manual clearing
Service Worker Cache	Static assets (HTML, CSS, JS, images)	Offline access, faster loading	Until cache version update
Session cookies	CSRF tokens (if applicable)	Security	Browser session

GolfStax does not use third-party tracking cookies, analytics services (e.g., Google Analytics), or advertising pixels. We do not engage in cross-site tracking.

8. Data Security

We implement the following security measures to protect your information:

Encryption in Transit: All data is transmitted over HTTPS (TLS 1.2+)
Password Hashing: Passwords are hashed using bcrypt with appropriate salt rounds — we never store plaintext passwords
Authentication Tokens: JWT (JSON Web Tokens) with expiration for session management
Access Controls: Role-based access control (RBAC) ensuring users can only access data appropriate to their role
Rate Limiting: API rate limiting to prevent abuse and brute-force attacks
Input Validation: Server-side validation and sanitization of all user input
Database Backups: Regular automated backups of the database
Error Monitoring: Automated error detection and logging for rapid incident response

While we take reasonable measures to protect your data, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

9. Your Rights & Choices

You have the following rights regarding your personal information:

Right	Description	How to Exercise
Access	Request a copy of the personal information we hold about you	Email us at richard.sullivan2002@gmail.com
Correction	Request correction of inaccurate or incomplete data	Update in-app or email us
Deletion	Request deletion of your account and personal data	Email us at richard.sullivan2002@gmail.com
Data Portability	Request your data in a portable format (CSV/JSON)	Email us at richard.sullivan2002@gmail.com
Opt-out of Communications	Unsubscribe from non-essential emails	Unsubscribe link in emails or contact us
Revoke Google Access	Remove GolfStax's access to your Google account	Google Permissions page
Parental Access	Parents may access/modify/delete their child's data	Email us with verification

We will respond to data requests within 30 days. We may require identity verification before processing requests.

10. Data Retention

Active Accounts: Data is retained for as long as your account remains active
Tournament Data: Tournament scores and results are retained for the academic year plus one additional year for historical reference
Audit Trails: Score change audit trails are retained for a minimum of one year after tournament completion
Deleted Accounts: Upon account deletion, personal information is removed within 30 days. Some anonymized or aggregated data may be retained for statistical purposes.
Error Logs: Error logs with IP addresses are automatically purged after 90 days
Backups: Data may persist in backup systems for up to 90 days after deletion

11. International Data Transfers

GolfStax is operated in the United States. If you are accessing the Platform from outside the United States, please be aware that your information will be transferred to, stored, and processed in the United States. By using the Platform, you consent to this transfer.

12. California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected
Right to Delete: You may request deletion of personal information we have collected
Right to Opt-Out of Sale: We do not sell personal information. No opt-out is necessary.
Non-Discrimination: We will not discriminate against you for exercising your privacy rights

To exercise these rights, contact us at richard.sullivan2002@gmail.com.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last Updated" date. Material changes will be communicated via platform notification or email. Continued use of the Platform after changes constitutes acceptance of the updated policy.

14. Contact Us

For privacy-related questions, data requests, or concerns:

GolfStax — Privacy Inquiries
CnR Assets, LLC
Email: richard.sullivan2002@gmail.com
Website: golfstax.com

For COPPA/FERPA requests concerning minor students, please include "Minor Privacy Request" in the subject line.