Privacy Policy

This privacy policy explains how GolfBooker processes personal data. We comply with the EU General Data Protection Regulation (GDPR) and its principles, including data minimisation, transparency and security.

1. Data Controller

Funect Oy ("Funect")
Business ID: 3571724-7
Address: Kivelänkatu 1 B, 00260 Helsinki, Finland
Email: support@golfbooker.fi

GolfBooker is a platform maintained by Funect Oy for golf clubs, businesses and players. For clubs we provide operations management, booking and tournament systems. For players we offer tee time booking, scoring, handicap tracking and social features.

Data Controller Roles

The controller role may vary depending on the purpose of processing:

• A golf club typically acts as the data controller for its own members and tournament-related data. Funect processes this data on behalf of the club as a processor.
• Funect acts as the data controller for its own sales, marketing, CRM, and contract management data, as well as certain services offered directly to players (see the eBirdie section).
• In some implementations, Funect and the golf club may act as joint controllers (GDPR Article 26), in which case responsibilities are agreed upon separately (e.g. system usage and communication). In such cases you can exercise your data subject rights by contacting either party; we will ensure your request is handled regardless of which controller you contact.

2. Purposes of Processing

We process personal data only for pre-defined and legitimate purposes.

Membership and Operations Management

Member relationships, tee time scheduling, tournaments, invoicing, mobile app and system functionality.
Legal basis: contract / legitimate interest (depending on role and usage).

Communications

Service notifications, booking confirmations, tournament updates, payment reminders.
Legal basis: contract / legitimate interest.

Newsletters and Direct Marketing

We send newsletters and product/service updates (e.g. new features, training, webinars, offers). For this purpose, we typically process your email address and possibly your name, organisation/club, role and language/topic preferences.

You can opt out of direct marketing at any time using the "Unsubscribe" link in newsletters or by contacting support@golfbooker.fi.

Legal basis for newsletters:

• Consent, when you have subscribed to the newsletter or given permission during a demo/meeting.
• Customer relationship, when we communicate about our own similar products/services based on an existing customer relationship.
• Business-to-business communications (e.g. general contact addresses): we always provide an opt-out option.

Handicap Round Submission to eBirdie (Finland)

GolfBooker allows players to submit handicap round data to the Finnish eBirdie service for handicap processing. In this function, Funect acts as the data controller when the service is used directly by the player without the player's home club using GolfBooker as its system.

• Data processed: player identifier (e.g. member number/ID), round date and course, tees, score (hole-by-hole or total), game format and data required for handicap calculation.
• Purpose and legal basis: fulfilling the player's request / performance of a contract.
• Recipient: the Finnish Golf Union / eBirdie acts as a separate data controller for handicap processing.
• Rights: you can exercise your rights by contacting support@golfbooker.fi; for data already transferred to the Union, your request may also be directed to the Finnish Golf Union.

Service Development and Security

Quality improvement, system development, analytics, logging, abuse prevention.
Legal basis: legitimate interest. We assess the necessity and proportionality of processing and balance our interests against the rights and freedoms of data subjects.

Legal Compliance

Accounting, taxation, consumer protection, government requests.
Legal basis: legal obligation.

Contact Discovery (Find Friends)

When you enable Find Friends, the app uses phone numbers from your device contacts to create privacy-preserving identifiers. Phone numbers are hashed on your device before any data leaves it, and only the hashed identifiers are sent to our server. We do not upload or store your contacts or phone numbers in plain text, and we do not store contact names.

We use these hashed identifiers only to match you with friends who also use GolfBooker. The identifiers are not used for marketing or any other purpose. This feature is fully opt-in and requires your explicit consent. You can disable Find Friends at any time, which will delete the stored identifiers associated with your account.

• Data collected: Hashed identifiers derived from phone numbers in your device contacts
• Purpose: Match you with friends who use GolfBooker
• Legal basis: Consent (opt-in, withdrawable at any time)
• Storage: Supabase database (EU)
• Retention: Stored only while the feature is enabled. Deleted from active systems when you disable the feature or delete your account. Identifiers may persist in backups until overwritten (typically 30–90 days).

We implement additional technical safeguards to reduce the risk of these identifiers being reverse-engineered.

3. What Data We Collect

We collect personal data in various ways:

• You have provided the data when using the service or contacting us
• A golf club administrator adds data to the system
• Data is generated during use (logs, events, errors)
• Data is transmitted via integrations (e.g. eBirdie)
• Data is obtained from partners or public sources (e.g. general contact information of organisations)

Information When Data Is Not Obtained From the Data Subject (GDPR Article 14)

When we receive personal data from sources other than the data subject, we inform the data subject no later than at the time of first contact and disclose the source of the data. When a golf club acts as the data controller, the data subject receives primary information from their own golf club.

Categories of Personal Data

• Basic and contact details: name, address, email, phone number
• Membership and golf data: membership details, handicap, login credentials, tournament results, scorecards, round statistics
• Newsletter and communication data: subscription/consent status, communication preferences, technical tracking data (for improving deliverability and content)
• Customer relationship data: invoicing, payment transactions, bookings/cancellations, tournament registrations, equipment rentals, customer contacts
• Technical data: device information, browser/OS, app settings, IP address, session identifiers, login timestamps, error logs and performance metrics
• Contact discovery data: hashed identifiers derived from phone numbers in device contacts (for friend matching; consent-based, deleted on opt-out or account deletion)

Mandatory data includes the basic information necessary for service delivery. We do not engage in automated decision-making or profiling that would have legal effects or similarly significant impacts on data subjects (GDPR Article 22).

Minors

The service may also be used to manage junior player data in golf club operations. In such cases, the golf club acts as the data controller and is responsible for obtaining necessary consents and guardian communication in accordance with applicable legislation.

4. Data Retention

We retain data only for as long as necessary for the purposes of processing, legal obligations, or the protection of legitimate interests. Data is deleted or anonymised after the retention period expires.

Examples of retention periods:

• Newsletter list: as long as the subscription is active; we delete/anonymise no later than 24 months after the last activity. We retain a minimum amount of data to comply with marketing opt-outs.
• Invoicing and accounting records: in accordance with the Accounting Act (typically 6–10 years depending on the records).
• Technical and security logs: typically 12–24 months, unless investigation of an incident requires longer retention.
• Backups: typically overwritten within 30–90 days.

5. Data Disclosure and Access

Sub-processors (Service Providers)

We use third-party service providers (sub-processors) to deliver the service. They process personal data on our behalf only for agreed purposes and in accordance with data processing agreements (DPA). Service providers may be used in categories such as: hosting/infrastructure, databases, email and messaging delivery, analytics, logging and monitoring, payment processing and customer support.

An up-to-date list of service providers is available upon request: support@golfbooker.fi.

Data Transfers Outside the EU/EEA

Service providers may be located within or outside the EU/EEA. If personal data is transferred outside the EU/EEA, the transfer is carried out using a GDPR-compliant transfer mechanism and safeguards, such as the European Commission's Standard Contractual Clauses (SCC, 2021/914) and where necessary, supplementary measures (e.g. encryption, pseudonymisation, access controls, minimisation). Processing takes place primarily within the EU/EEA when possible based on service settings and provider options.

Data Access / Recipients

• Golf club administrators (in the club's controller role)
• Service providers (as sub-processors on behalf of Funect)
• Finnish Golf Union / eBirdie (as a separate controller for handicap processing)
• Authorities, if required by law or government order
• Authorised Funect personnel for security, abuse prevention and service maintenance
• Other parties only with the explicit consent of the data subject

We do not sell your personal data.

6. Data Subject Rights

You have the right to access your data, request rectification, erasure, or restriction of processing, object to processing (particularly direct marketing), data portability, and to withdraw consent insofar as processing is based on consent. The availability of individual rights depends on the legal basis of the processing in question; not all rights can be exercised in every situation. You may lodge a complaint with the supervisory authority (the Office of the Data Protection Ombudsman, tietosuoja.fi).

We respond to requests without undue delay and no later than one month from receipt. If the request is complex or we receive a large number of requests, the response period may be extended by a further two months, in which case we will inform you within the first month. For data portability requests, data is provided in a structured, commonly used and machine-readable format (e.g. JSON or CSV).

To exercise your rights: support@golfbooker.fi.

7. Data Security

We protect personal data with appropriate technical and organisational measures to prevent unauthorised access, use, alteration, disclosure, destruction, or other unlawful processing. We use, for example, encrypted connections for data transmission, managed access control and monitoring, processing minimisation, staff training and careful selection and oversight of service providers.

In the event of a data breach, we assess the situation without delay, contain and remediate the impact and document the incident. We notify the supervisory authority without undue delay and, where feasible, within 72 hours (GDPR Article 33). If the breach is likely to result in a high risk to the rights and freedoms of data subjects, we also notify the affected individuals without undue delay (GDPR Article 34).

8. Cookies

We use cookies and similar technologies (e.g. local storage, pixels) to ensure service functionality, improve user experience and for measurement and development. You can manage settings via the cookie banner and later through cookie settings.

Necessary Cookies

Required for basic functionality (session, login, security, load balancing, remembering settings). These cannot be blocked, as the service would not function reliably without them.

Analytics (Google Analytics 4)

We use GA4 to understand site usage (e.g. page views, events such as clicks, device/browser/OS data and approximate location data).

• Consent & Consent Mode: analytics is activated only with your consent. We use Consent Mode, where consent governs the use of analytics and related cookies. Consent can be changed or withdrawn at any time through settings.
• IP address: Google may process IP addresses technically for data transmission and approximate location estimation. We do not use IP addresses to identify data subjects and we aim to minimise identifiability by using privacy-enhancing settings and processing data primarily at an aggregated level.
• Retention: GA4 user and event data retention is set to 14 months. The retention period may reset with new user activity.
• Data region: we aim to process analytics data primarily within the EU/EEA when possible. Some data may be processed outside the EU/EEA, in which case GDPR-compliant transfer mechanisms and safeguards apply (e.g. SCC 2021/914 and supplementary measures).

Marketing

Marketing cookies are set only with your consent. You can change your consent at any time through settings.

9. Contact

Privacy matters: support@golfbooker.fi

10. Changes to This Policy

We may update this policy. We will notify you of significant changes on our website or by email.