Privacy Policy

What we collect and why.

Effective May 14, 2026. Stymie Golf is operated by Emerson Capital LLC. This policy describes what data we collect when you use stymiegolf.co, how we use it, who else touches it, and how to get it removed. We try to keep the language plain.

1. The short version

We collect what you tell us (your email, your trip's roster, your scores) and what your browser tells us when you visit (page views, errors, basic device info). We use it to run the service, fix bugs, and improve the product. We don't sell your data. You can request a copy or a deletion any time by emailing kyle@stymiegolf.co.

2. Information you give us

  • Account:email address. If you use the password sign-up, a hashed password (we never see the plaintext — it's handled by Supabase Auth). You can optionally add a name.
  • Trip data: trip name, destination, dates, captain name and email, courses, schedule, lodging notes, roster, teams, formats, matches, hole scores, side bets, and the recap.
  • Player profile: if you join a trip, your captain may pre-fill your row with a name. You can edit your own row to add a handicap index, phone number, photo, bio, or hometown. All of those fields are optional. Player profile data is visible to the rest of the crew on the same trip.
  • Communications: if you email us at kyle@stymiegolf.co, we keep the message so we can reply.

3. Information we collect automatically

  • Page views (PostHog): when you load a page, we record the URL, the referrer, your approximate location from IP, the browser and OS string, and the screen size. After you sign in, those events are linked to your user ID and email. Anonymous visitors are not given persistent profiles.
  • Errors and session replays (Sentry):when the app throws an error, we capture the stack trace, browser info, and a short replay of the session leading up to the error. Replays are also recorded on a small sample of normal sessions to help debug usability issues. Text inputs are masked in the replay so we don't capture what you typed. Replays may include your user ID and email if you were signed in.
  • Network and security:our hosting and CDN (Vercel + Cloudflare) record request metadata — IP address, timestamp, URL, response code — for security and abuse prevention. We rate-limit sensitive endpoints via Upstash Redis using a hash of your IP.

4. Cookies and local storage

  • Auth cookie:Supabase sets a same-site session cookie when you sign in. It's required for the app to work and disappears when you sign out.
  • localStorage:we use your browser's localStorage to remember your theme preference, any captain tokens you've been issued, an offline queue for writes made on a flaky connection, and a small set of “you already saw this” sentinels so the recap doesn't re-pop. Nothing in localStorage leaves your device.
  • No advertising cookies.We don't run ads, ad-network pixels, or third-party trackers beyond the analytics and error tools named above.

5. How we use your data

  • To run the service — show your trip, score your matches, deliver the recap.
  • To send you transactional email — sign-in codes, the post-trip recap, and (later) Stymie Wrapped.
  • To send the trip's commissioner administrative pings about their account activity.
  • To monitor product usage in aggregate so we know which features matter.
  • To investigate bugs, abuse, or security incidents.
  • To comply with law when we're legally required to.
We do not sell your personal information. We do not share it with advertisers or data brokers.

6. Third-party processors

To operate Stymie we rely on the vendors below. Each is bound by its own privacy and security obligations.
  • Supabase — database, authentication, file storage. US data center.
  • Vercel — hosting and cron jobs.
  • Cloudflare — DNS for stymiegolf.co.
  • Resend — transactional and administrative emails sent from stymiegolf.co.
  • Google Workspace — the kyle@stymiegolf.co inbox.
  • PostHog (US instance) — product analytics.
  • Sentry — error tracking and the masked session replay described above.
  • Upstash — Redis-backed rate limiting.
  • GolfCourseAPI — course look-up. Search queries are proxied server-side; the upstream sees them tied to our API key, not to you.
  • Open-Meteo — weather forecast. Your browser fetches this directly with a course's coordinates.
If we add or replace a processor we'll update this section.

7. Where your data lives

Our primary database and file storage are in the United States. If you're using Stymie from outside the US, your data will be transferred to and processed there.

8. How long we keep your data

We keep your account and trip data for as long as the account is active. If you ask us to delete your account, we remove the account record, your trips you owned that aren't shared collaboratively, and your player rows within 30 days. Backups age out separately on a rolling cycle. We may retain a minimal record of your email if necessary to honor a deletion request and prevent re-creation through automated abuse.

9. Your choices

  • Access or correct your data. Most of it is editable directly in the app — your profile, your scores, your trip. For anything else, email kyle@stymiegolf.co.
  • Delete your account. Email kyle@stymiegolf.co with the subject “Delete my account.”
  • Opt out of analytics. Email kyle@stymiegolf.co and we'll suppress PostHog identification on your user ID.
  • EU/UK residents have the rights granted by GDPR — access, rectification, erasure, portability, restriction, objection. California residents have the rights granted by the CCPA, including the right to know what we collect and to request deletion. Email us to exercise any of these.

10. Children

Stymie is not directed to children under 13 and we don't knowingly collect data from them. If you believe we have, please email kyle@stymiegolf.coand we'll remove it.

11. Security

We protect data with strong defaults: HTTPS everywhere, a strict Content-Security-Policy, HSTS, row-level security on the database, token-based access controls on every trip surface, and rate limiting on sensitive endpoints. No system is perfectly secure; if you find a vulnerability, email kyle@stymiegolf.coand we'll work it quickly.

12. Changes to this policy

When we change this policy in a material way, we'll update the “Effective” date and, for significant changes, notify you by email or in the app. Older versions are available on request.

13. Contact

Questions about privacy, a deletion request, or a vendor concern? Email kyle@stymiegolf.co. We answer every message.

Emerson Capital LLC · Georgia, USA