⚠️ DRAFT — Not reviewed by legal counsel. Do not publish without review.

This privacy policy is a draft prepared for internal review. It requires review by a qualified lawyer before public use.

← Back to Stablesome

Privacy Policy

Last updated: 19 April 2026

1. Who we are

Stablesome is a golf matchplay platform operated by [YOUR NAME HERE], based in the Netherlands.

Contact: [YOUR EMAIL HERE]

2. What data we collect

We collect the following personal data when you use Stablesome:

  • Account data: email address, password (hashed, never stored in plain text)
  • Profile data: first name, last name, username, home club, location (city), WHS handicap
  • Match data: match results, hole-by-hole scores, tee times, venues
  • Communication data: in-match chat messages
  • Availability data: the days and times you mark yourself as available to play
  • Push notification subscriptions: browser/device push endpoint (if you opt in)
  • Technical data: log data, IP address (processed by our hosting provider, Vercel)

3. Why we collect it

We use your data to:

  • Provide the Stablesome service (match you with opponents, track handicaps, manage competitions)
  • Send transactional emails (match invitations, results, reminders) — only to your registered email
  • Send push notifications if you have opted in
  • Calculate your Matchplay Handicap based on match results
  • Display your profile to other players on the platform
  • Prevent abuse and enforce our Terms of Service

Legal basis: performance of a contract (providing the service you signed up for) and, where applicable, legitimate interests.

4. Who we share it with

We share your data only with the sub-processors needed to run the service:

  • Supabase — database and authentication hosting
  • Resend — transactional email delivery
  • Vercel — web application hosting and CDN
  • Upstash — rate limiting (Redis)

We do not sell your data. We do not share your data with advertisers or third-party marketers.

5. Data transfers outside the EU

Some of our sub-processors may store or process data outside the European Union:

  • Supabase — can be configured to use EU regions. Bas should verify his project region in the Supabase dashboard.
  • Vercel — has EU edge regions but global infrastructure. Verify your deployment region.
  • Resend — US-based. Data subject to US law unless EU data residency is configured.
  • Upstash — has EU regions. Verify your Redis instance region.

⚠️ Bas: verify all sub-processor regions before launch. If any data is processed outside the EU without an adequate safeguard (SCCs, adequacy decision), this must be disclosed more specifically here.

6. How long we keep it

We keep your personal data for as long as your account is active. If you delete your account, your data is deleted within 30 days, except where we are required by law to retain it longer.

7. Your rights (GDPR)

Under the GDPR, you have the right to:

  • Access — request a copy of the personal data we hold about you
  • Rectification — correct inaccurate data (you can do this directly in your profile settings)
  • Erasure — request deletion of your account and associated data
  • Portability — receive your data in a structured, machine-readable format
  • Objection — object to processing based on legitimate interests
  • Complaint — lodge a complaint with the Dutch data protection authority: Autoriteit Persoonsgegevens

To exercise any of these rights, contact us at [YOUR EMAIL HERE].

8. Cookies and similar technologies

Stablesome uses essential cookies only:

  • Authentication session cookie (required to keep you logged in)
  • Local storage for session tokens (used by Supabase Auth)

We do not use advertising cookies, tracking pixels, or third-party analytics.

9. Contact

Questions about this policy? Email us at [YOUR EMAIL HERE].