Privacy Policy

Effective date: April 27, 2026

ClubFlow.io (“ClubFlow,” “we,” “us”) provides a golf tournament management platform used by tournament directors, players, spectators, and Calcutta auction participants. This Privacy Policy explains what we collect, how we use it, and the choices you have.

1. Information We Collect

We collect only what is needed to run a tournament:

  • Account information — name, email address, and (for captains and bidders) mobile phone number. When you sign in with Google or Facebook, we receive your name, email, and profile picture from that provider.
  • Tournament data — teams, scores, pairings, Calcutta bids, ownership records, and payout calculations that you or your tournament director enter.
  • Device and log data — IP address, browser type, pages visited, and error reports, used to keep the service running and secure.
  • Cookies and session tokens — used to keep you signed in and to remember your role in a tournament. See Section 5.

2. SMS Messages

If you provide a mobile phone number to participate in a Calcutta auction, you will receive a one-time verification code by SMS to confirm your phone number. SMS delivery is handled by Google Firebase Authentication on our behalf. We do not send marketing or recurring SMS messages, and we do not share your phone number with third parties for marketing.

Team invitations from captains are delivered by email with a shareable link. Message and data rates may apply for the verification SMS.

3. How We Use Information

  • Authenticate you and preserve your session
  • Display leaderboards, pairings, and Calcutta results to the appropriate audience
  • Deliver transactional email and SMS you have opted into
  • Operate, secure, and improve the service (including error monitoring and abuse prevention)
  • Comply with legal obligations

ClubFlow does not process payments for Calcutta auctions. We track money owed between participants; settlement happens outside the platform (cash, Venmo, or similar).

4. How We Share Information

We do not sell personal information. We share information only with:

  • Service providers we rely on to operate the service. Each provider is bound by contractual privacy terms:
    • Amazon Web Services (AWS) — hosting (Lambda, CloudFront, S3, Route 53, ACM)
    • Cloudflare — bot protection (Turnstile)
    • Facebook — OAuth sign-in (when you choose to sign in with Facebook)
    • Firebase (Google) — phone number verification for Calcutta bidders, push notifications, and server-side ID-token verification
    • Google — OAuth sign-in (when you choose to sign in with Google)
    • Resend — transactional email (captain team invites, Supabase Auth emails)
    • Sentry — error tracking and crash diagnostics
    • Supabase — database, authentication, realtime, and storage
    • Venmo — peer-to-peer payment deep links for Calcutta payouts. ClubFlow only generates the link; Venmo itself handles all financial data and the actual transfer.
  • Your tournament director and other participants who can see the information you enter in the context of a tournament (team names, scores, bids, ownership).
  • Law enforcement or authorities when required by law or to protect users.

5. Cookies and Similar Technologies

We use cookies to keep you signed in (Supabase session cookies), to remember your Calcutta bidder session, and to verify that you are human via Cloudflare Turnstile. We do not use advertising or cross-site tracking cookies.

6. Data Retention

Tournament records are retained for as long as your tournament director keeps their ClubFlow account active. You may request deletion of your account and associated personal information at any time (see Section 8). Aggregate and anonymized data may be retained indefinitely.

7. Security

We protect information in transit with HTTPS/TLS and at rest with AES-256 encryption. Access to production systems is restricted and logged. No system is perfectly secure; if a breach affecting your data occurs, we will notify you as required by law.

8. Your Rights

You may:

  • Access the information we hold about you
  • Correct information that is inaccurate
  • Delete your account and associated personal information
  • Request removal of your phone number from our records (email privacy@club-flow.io)
  • Export your tournament data in CSV or PDF format

To exercise any of these rights, email privacy@club-flow.io. We respond within 30 days.

9. Children’s Privacy

ClubFlow is not directed to children under 13 and we do not knowingly collect personal information from them. If you believe a child has provided us with personal information, contact us and we will delete it.

10. International Users

ClubFlow is operated in the United States. If you are accessing the service from outside the U.S., you understand that your information will be processed in the U.S. under U.S. law.

11. Changes to This Policy

We may update this policy from time to time. Material changes will be announced in the product and by email to tournament directors. The “Effective date” above reflects the most recent revision.

12. Contact

Questions about this policy: privacy@club-flow.io