1. Who We Are
SQR1 Golf is operated as a trading name in the United Kingdom. We are the data controller for the personal information you provide when using the SQR1 Golf platform (the "Service").
We are registered with the Information Commissioner's Office (ICO) as required under UK data protection law. Our registration details are available on the ICO public register at ico.org.uk.
2. What We Collect
We collect the following categories of personal data:
- Account data — name, email address, username, phone number, and postal address provided at registration
- Profile data — profile picture, handicap index, home golf club, preferred hand, and any other profile information you choose to add
- Golf performance data — round scores, hole-by-hole statistics, club distances, course notes, approach tracking, scrambling records, and any other data you voluntarily record through the Service
- Coaching relationship data — if you use the coaching features, we store records of coach and client connections, requests, and any performance notes shared within those relationships
- Payment data — transaction records are processed by Stripe. We do not store full card numbers; we hold only a tokenised Stripe customer reference and a history of transactions made through the Service
- Points and transaction history — records of points earned, spent, purchased, and adjusted within the app
- Marketing preferences — your choice at registration and any subsequent changes regarding whether you wish to receive marketing communications from us
- Technical data — IP address, browser type, device information, and usage logs collected automatically when you use the Service
- Communications — messages sent via the in-app messaging system, support requests, and any other correspondence with us
We do not collect sensitive personal data such as health information, racial or ethnic origin, or political opinions.
3. How We Use Your Data
We use your personal data to:
- Create and manage your account and provide access to the Service
- Process payments and manage your points balance and subscription
- Calculate, display, and benchmark your golf performance statistics against scratch and target handicap standards
- Generate personalised yardage book PDFs using your club distance data and course information
- Enable coaching relationships — sharing relevant performance data between coaches and their clients where a relationship has been established
- Send transactional emails such as account confirmations, payment receipts, and password resets
- Send marketing communications where you have given consent, and provide a straightforward way to withdraw that consent at any time
- Respond to support requests and improve the Service based on usage patterns
- Comply with our legal obligations and prevent fraud or misuse
We do not use your golf performance data for any purpose other than providing the Service to you. We do not sell your data to third parties or use it for advertising.
4. Legal Basis for Processing
Under UK GDPR we rely on the following legal bases:
- Contract — processing necessary to provide the Service you have signed up for, including account management, statistics calculation, PDF generation, and payment processing
- Legitimate interests — technical logging for security and performance monitoring, and fraud prevention, where our interests do not override your rights
- Legal obligation — retaining financial records as required by HMRC and applicable law
- Consent — where we ask for your explicit agreement, such as optional marketing communications. You may withdraw consent at any time from your account settings page
5. Sharing Your Data
We do not sell your personal data. We share data only with the following categories of third parties, and only to the extent necessary:
- Stripe — payment processing. Subject to Stripe's own privacy policy and PCI DSS Level 1 compliance
- Railway — server infrastructure for running the Service. Railway's infrastructure runs on Amazon Web Services (AWS) data centres located in the United States. This constitutes a transfer of personal data outside the UK; see Section 5b (International Data Transfers) below for the legal basis for this transfer
- Cloudflare R2 — cloud object storage used to store user-uploaded profile pictures. Files are stored on Cloudflare's infrastructure and served via Cloudflare's global network. Cloudflare's privacy policy is available at cloudflare.com/privacypolicy
- SendGrid — transactional email delivery only (account confirmations, password resets, receipts). No marketing data is shared
- hCaptcha — we use hCaptcha on our registration form to protect against automated abuse and bot sign-ups. hCaptcha is operated by Intuition Machines Inc. When you complete the verification, hCaptcha may collect your IP address, browser information, and behavioural signals as part of its bot detection process. This processing is based on our legitimate interest in protecting the Service from abuse. hCaptcha's privacy policy is available at hcaptcha.com/privacy
- Google Fonts — if you consent to optional resources, font requests are made to Google's servers. No personal account data is transmitted; Google may log your IP address as part of standard server logging
- Cloudflare CDN — if you consent to optional resources, Leaflet.js and Chart.js are fetched from Cloudflare's content delivery network. Cloudflare does not set tracking cookies and no personal data is transmitted
- Mapping tile providers — anonymised tile requests are made to generate satellite imagery for the course planner. No personal data is transmitted
- Your coach — if you establish a coaching relationship through the Service, your coach will have access to your golf performance data as displayed within the coaching dashboard. You control this relationship and may end it at any time
We may disclose your data if required to do so by law, or in response to a valid legal request from a regulatory authority or law enforcement agency.
5a. hCaptcha
We use the hCaptcha security service (operated by Intuition Machines Inc., Delaware, USA) on our registration page to protect against automated sign-ups and abuse. hCaptcha's use of your data is governed by their Privacy Policy and Terms of Service.
When you complete the hCaptcha verification, the following data may be collected and processed by Intuition Machines Inc.:
- IP address
- Browser type and version
- Mouse movements and interaction patterns (used for bot detection)
- Time spent on the verification task
This processing is necessary for our legitimate interest in protecting the Service from automated abuse. hCaptcha does not use this data for advertising purposes. For more information visit hcaptcha.com/privacy.
5b. International Data Transfers
SQR1 Golf is operated from the United Kingdom. However, some of our third-party service providers process your personal data on servers located in the United States and other countries outside the UK. Under UK GDPR, transferring personal data to a country without an adequacy decision requires an appropriate legal safeguard.
We rely on the following mechanisms to ensure your data receives adequate protection when transferred outside the UK:
- UK-US Data Bridge — the UK Government has recognised the UK Extension to the EU-US Data Privacy Framework (known as the UK-US Data Bridge) as providing adequate protection for personal data transferred from the UK to certified US organisations. Our key providers — including Amazon Web Services (Railway's infrastructure) and Stripe — are certified under this framework
- UK International Data Transfer Agreements (IDTAs) / Standard Contractual Clauses — where a provider is not covered by an adequacy decision or the UK-US Data Bridge, we rely on contractual protections in the form of IDTAs or equivalent Standard Contractual Clauses incorporated into our Data Processing Agreements with those providers
The following providers process data outside the UK:
- Railway / Amazon Web Services — United States. Transfer basis: UK-US Data Bridge (AWS certification) and AWS Data Processing Addendum
- Stripe — United States. Transfer basis: UK-US Data Bridge (Stripe certification) and Stripe Data Processing Agreement
- SendGrid (Twilio) — United States. Transfer basis: Standard Contractual Clauses / IDTA incorporated in Twilio's Data Processing Addendum
- hCaptcha (Intuition Machines Inc.) — United States. Transfer basis: Standard Contractual Clauses incorporated in hCaptcha's terms
- Cloudflare — global infrastructure. Transfer basis: Cloudflare's Data Processing Addendum incorporating Standard Contractual Clauses
We take reasonable steps to satisfy ourselves that our service providers implement appropriate technical and organisational measures to protect your personal data in line with UK GDPR standards. You may request further information about the specific safeguards we have in place by contacting us at privacy@sqr1golf.com.
6. How Long We Keep Your Data
We retain your data for as long as your account is active. Specifically:
- Account and profile data — retained for the lifetime of your account and for 12 months after deletion for dispute resolution purposes, then permanently deleted
- Golf performance data (rounds, stats, club distances, yardage books, courses) — retained for the lifetime of your account and for 12 months after account deletion, then permanently deleted
- Coaching relationship data — retained while the relationship is active; deleted when the relationship is ended or either party's account is closed
- Financial transaction records — retained for 7 years as required by HMRC rules, even after account deletion
- Technical logs — retained for a maximum of 90 days
- Marketing preference records — retained for the lifetime of your account so we can honour your choices
- Administrative audit logs — retained for 24 months from the date of each action to enable us to defend against payment disputes and demonstrate regulatory accountability. These logs may contain your user ID and Stripe customer reference but do not include your golf performance data. This retention is permitted under Article 17(3)(e) of UK GDPR for legal claims defence
When you delete your account, your account is immediately deactivated and you lose access to the Service. Your personal data — including name, email, golf performance data, and account history — is retained for 12 months from the date of deletion to allow us to defend against payment disputes, chargebacks, and legal claims under Article 17(3)(e) of UK GDPR. This data is restricted from normal operations and is only accessible for dispute resolution purposes.
After the 12-month retention window has elapsed, all personal data except administrative audit logs is permanently and automatically deleted from our systems. Audit logs are retained for an additional 12 months (24 months total) for accountability and legal defence purposes, then permanently deleted.
7. Your Rights
Under UK GDPR you have the following rights:
- Right of access (Subject Access Request) — you can request a copy of the personal data we hold about you. You can download much of your data immediately using the "Download My Data" feature in your account settings, which provides a machine-readable export. For a full Subject Access Request, contact us at the address below and we will respond within 30 days
- Right to rectification — you can correct inaccurate personal data via your account settings at any time, or contact us if you need assistance
- Right to erasure — you can permanently delete your account and all associated personal data from the account settings page. We will complete deletion within 30 days. Financial records required by law are exempt from erasure
- Right to restrict processing — you can ask us to limit how we use your data in certain circumstances, for example while a rectification request is being resolved
- Right to data portability — you can export your golf performance data in JSON format at any time from your account settings using the "Download My Data" feature
- Right to object — you can object to processing based on legitimate interests. We will cease that processing unless we have compelling legitimate grounds that override your interests
- Right to withdraw consent — where processing is based on consent (such as marketing emails), you can withdraw consent at any time from your account settings. This does not affect the lawfulness of processing before withdrawal
- Rights related to automated decision-making — we do not make automated decisions with legal or significant effects about you
To exercise any of these rights, email us at privacy@sqr1golf.com. We will acknowledge your request within 5 working days and respond in full within one calendar month. You also have the right to lodge a complaint with the ICO at ico.org.uk or by calling 0303 123 1113.
8. Cookies & Third-Party Resources
SQR1 Golf uses a small number of cookies and gives you control over optional third-party resources through a consent banner shown on your first visit.
Strictly necessary cookies — we set two cookies that are essential for the Service to function: a session cookie (sessionid) that keeps you logged in, and a CSRF security token (csrftoken) that protects form submissions. These cannot be disabled.
Your consent choices — on your first visit, a banner gives you two options:
- Essential Only — only the strictly necessary cookies above are active. The Service works fully. No connections are made to Google's font servers or any third-party CDN
- Accept All — in addition to essential cookies, we load Google Fonts for typography, Leaflet.js for the course planner maps, and Chart.js for performance charts. These are fetched from Google's servers and Cloudflare's CDN respectively, and are only ever loaded after you give consent
Your consent preference is stored in your browser's localStorage (not as a cookie) and respected on all future visits. You can change it at any time by clearing your browser's localStorage.
Our registration page uses hCaptcha, which may set cookies or use browser storage as part of its human verification process. These are used solely for security purposes to distinguish humans from automated bots. hCaptcha's cookie usage is governed by Intuition Machines Inc's privacy policy at hcaptcha.com/privacy.
We do not use advertising cookies, analytics cookies, or any third-party tracking scripts. For full details see our Cookie Policy.
9. Security
We take reasonable technical and organisational measures to protect your personal data, including:
- Passwords are hashed using Django's default PBKDF2 algorithm — we cannot see your password in plain text
- All data is transmitted over HTTPS with TLS encryption
- Access to production systems and data is restricted to authorised personnel only
- Payment card data is handled entirely by Stripe and never touches our servers
- Regular backups are maintained to ensure data integrity and availability
No method of transmission over the internet is 100% secure. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the ICO within 72 hours of becoming aware of the breach, as required by UK GDPR Article 33.
10. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or by displaying a prominent notice within the Service before the change takes effect. The date at the top of this page shows when the policy was last updated.
Continued use of the Service after changes are posted constitutes acceptance of the updated policy. If you do not agree with any changes, you may close your account at any time from the account settings page.
For any privacy-related queries, data subject requests, or complaints:
Email: privacy@sqr1golf.com
We aim to acknowledge all privacy enquiries within 5 working days and respond in full within one calendar month.
You also have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.