Privacy Policy

This Privacy Policy describes how Parful Inc. ("we," "us," or "our") collects, uses, shares, and protects personal information when you use the Parful platform ("Platform"), including our website, applications, and related services.

By using the Platform, you consent to the data practices described in this policy. If you do not agree with this policy, please do not use the Platform.

A. Information You Provide Directly

• Account Information: Name, email address, and password when you create an account
• Profile Information: Phone number, physical address, gender, and golf-specific details (GHIN ID, handicap index, home course)
• Event Information: Event details, descriptions, dates, pricing, and course locations that operators publish
• Registration Information: Buyer name, email, phone, company, and player details when registering for events
• Payment Information: Payment card details are collected and processed directly by Stripe; we receive only transaction confirmations, last four digits, and receipt URLs
• Sponsor Information: Company name, contact name, email, phone, website, and logo
• Communications: Messages you send to us, including support requests and feedback
• User Content: Images (club logos, sponsor logos, event photos), event descriptions, scores, and other content you upload

B. Information Collected Automatically

• Device and Browser Information: Browser type, operating system, device type, and screen resolution
• Usage Data: Pages visited, features used, click patterns, and time spent on the Platform
• IP Address: Used for approximate geolocation, security monitoring, and fraud prevention
• Cookies: Authentication cookies to maintain your session (see Section 7)

C. Information From Third Parties

• GHIN/USGA: If you provide your GHIN ID, we retrieve your handicap index, score history, handicap revision dates, and associated club information from the Golf Handicap and Information Network
• Stripe: Payment confirmation, refund status, and account verification data for operators using Stripe Connect
• Google APIs: Course location data, address validation, weather conditions, and course photos from Google Maps and Places APIs

We use personal information to:

• Provide the Platform: Create and manage your account, process registrations, enable scoring and leaderboards, and facilitate communications
• Process Payments: Process event registrations, sponsorship payments, donations, and subscription billing through Stripe
• Send Communications: Deliver transactional emails (payment confirmations, event reminders, results), account notifications, and optional promotional communications
• Sync Handicap Data: Retrieve and display your GHIN handicap information for use in competitions and events
• Improve the Platform: Analyze usage patterns to improve features, fix issues, and develop new functionality
• Ensure Security: Detect and prevent fraud, unauthorized access, and abuse
• Comply with Law: Meet legal obligations, respond to legal processes, and protect rights
• Contact Database: Operators may collect and maintain contact information from event participants and sponsors for future event invitations and communications

We do not sell your personal information. We share information only in the following circumstances:

A. With Operators and Club Managers

When you register for an event or join a club, the operator/manager can see the information you provided (name, email, phone, company, handicap, scores). This is necessary for event management, group assignments, and communication about the event.

B. With Service Providers

• Stripe, Inc.: Payment processing and financial services (Stripe Privacy Policy)
• Google/Firebase: Application hosting, database, file storage, and authentication (Firebase Privacy)
• Twilio SendGrid: Email delivery services (Twilio Privacy Policy)
• USGA/GHIN: Handicap data retrieval (server-to-server only)

C. For Legal Reasons

We may disclose information if required by law, regulation, legal process, or governmental request, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

D. Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change via email or prominent notice on the Platform.

We retain your information for as long as necessary to provide the Platform and fulfill the purposes described in this policy:

• Account Data: Retained while your account is active. Upon account deletion request, we will delete or anonymize your data within 30 days, except where retention is required by law
• Golf Scores and Statistics: Retained for the duration of your account for historical leaderboards and competition records
• Payment Records: Retained for 7 years as required for tax and financial compliance
• Audit Logs: Retained for security, fraud prevention, and compliance purposes
• Email Delivery Logs: Retained for 30 days for deliverability monitoring
• GHIN Handicap Cache: Refreshed weekly; historical records retained for account duration

We implement appropriate technical and organizational measures to protect your information, including:

• Encryption in transit (TLS/SSL) for all data transmission
• Encryption at rest for stored data (Google Cloud/Firebase infrastructure)
• Role-based access controls limiting data access by user role
• Field-level privacy controls (sensitive fields like GHIN ID, email, and phone are restricted by role)
• Server-side authentication for all API endpoints
• No storage of complete credit card numbers (handled entirely by Stripe PCI DSS Level 1)
• Tenant isolation ensuring club data is accessible only by authorized members
• Audit logging of data access and modifications

While we strive to protect your information, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

We use a minimal set of cookies necessary for Platform operation:

• __auth_uid: Authentication cookie storing your user identifier. Essential for maintaining your session and protecting routes. Expires after 24 hours
• __auth_role: Stores your platform-level role for UI display purposes. Expires after 24 hours

We do not use third-party advertising cookies, tracking pixels for ad targeting, or cross-site tracking technologies. We do not participate in ad networks or sell data to advertisers.

Firebase and Stripe may set their own cookies as part of their services. Please refer to their respective privacy policies for details.

Depending on your jurisdiction, you may have the following rights regarding your personal information:

A. All Users

• Access: Request a copy of the personal information we hold about you
• Correction: Request correction of inaccurate or incomplete information
• Deletion: Request deletion of your personal information (subject to legal retention requirements)
• Opt-Out of Communications: Unsubscribe from promotional emails at any time via email settings or unsubscribe links
• Data Portability: Request your data in a commonly used, machine-readable format (CSV export)

B. California Residents (CCPA/CPRA)

Under the California Consumer Privacy Act, as amended by the California Privacy Rights Act, you have the right to:

• Know what personal information we collect, use, and disclose
• Delete your personal information (with certain exceptions)
• Opt out of the "sale" or "sharing" of personal information. We do not sell or share your personal information as defined under CCPA/CPRA
• Non-discrimination for exercising your privacy rights
• Correct inaccurate personal information
• Limit the use of sensitive personal information. We collect and use sensitive information (such as your precise geolocation) only as needed to provide the services you request

Categories of information collected in the past 12 months: Identifiers (name, email, phone), commercial information (purchase history), internet activity (usage data), geolocation data (IP-based), and professional information (GHIN ID, handicap).

C. Virginia Residents (VCDPA)

Virginia residents have the right to access, correct, delete, obtain a copy of, and opt out of targeted advertising and profiling. We do not engage in targeted advertising or profiling as defined under the VCDPA.

D. Colorado Residents (CPA)

Colorado residents have similar rights to access, correct, delete, and obtain portable copies of their data. You may opt out of targeted advertising, sale of personal data, and profiling. We do not engage in these activities.

E. Connecticut Residents (CTDPA)

Connecticut residents have the right to access, correct, delete, and obtain a copy of their personal data, and to opt out of targeted advertising, sales, and profiling. We do not sell personal data or engage in targeted advertising.

F. Utah Residents (UCPA)

Utah residents have the right to access and delete their personal data, and to opt out of the sale of personal data and targeted advertising. We do not sell personal data.

To exercise any of these rights, please contact us at privacy@parful.io. We will respond within the timeframe required by applicable law (typically 45 days). We may need to verify your identity before processing your request.

The Platform is not directed to children under 13 years of age. We do not knowingly collect personal information from children under 13. If we learn that we have collected personal information from a child under 13 without parental consent, we will delete that information promptly. If you believe a child under 13 has provided us personal information, please contact us at privacy@parful.io.

Users between 13 and 18 may use the Platform only with the involvement of a parent or legal guardian who agrees to these Terms and this Privacy Policy on their behalf.

Some browsers transmit "Do Not Track" (DNT) signals. Since there is no common industry standard for DNT, we do not currently respond to DNT signals. However, as described in Section 7, we do not use third-party advertising trackers or cross-site tracking.

The Platform is operated from the United States. If you access the Platform from outside the United States, your information will be transferred to and processed in the United States, where data protection laws may differ from those in your country. By using the Platform, you consent to this transfer and processing.

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a notice on the Platform at least 30 days before the changes take effect. Your continued use of the Platform after the effective date constitutes acceptance of the updated policy.

We encourage you to review this policy periodically for any changes.

For questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

• Email: privacy@parful.io
• Parful Inc.

If you are not satisfied with our response, you may have the right to lodge a complaint with your state attorney general or applicable regulatory authority.