Last updated: June 11, 2026
Privacy Policy
ScrambleSync — Effective June 11, 2026
1. Who we are
ScrambleSync is a golf scramble tournament management platform operated by Coyote Valley Technology Solutions, LLC (“we,” “us,” or “our”), a Utah limited liability company. This policy explains what personal data we collect, why we collect it, how it is handled, and the rights you have over it.
2. Our role with your data
ScrambleSync plays two different roles depending on whose data is involved:
- For organizer-account data (an organizer’s name, email, sign-in credentials, billing relationship, and our server logs), ScrambleSync is the controller — we decide how and why that data is processed.
- For player and tournament data that an organizer enters, imports, or collects through our service (player details, scores, photos, messages, and on-course location), the organizer is the controller and ScrambleSync acts as a processor / service provider, handling that data on the organizer’s behalf under our Data Processing Addendum.
If you are a player and want to exercise rights over your data, the fastest route is the organizer running your event; we will assist them and forward requests as appropriate.
3. Data we collect
We collect different data depending on your role:
- Tournament organizers: name, email address, and authentication credentials. Sign-in uses an email and password, and may be secured with a passkey and/or a time-based one-time code (two-factor authentication). Billing and payment card details are handled directly by Stripe and are not stored on our servers.
- Players and team captains: players join with a team access code — no account is required. Depending on what the organizer enters or imports (or what a player provides during online registration), we may hold a player’s name and, optionally, email address, phone number, company, and shirt size, along with cart assignment and check-in status. During play we store team and hole-by-hole scores and a digital signature used to finalize the scorecard.
- Location (golfers): if a golfer grants location permission, their device’s GPS position is used within their browser to show distance-to-pin and on-course position. For most golfers this location stays on the device and is not sent to our servers. One exception: if you are the person keeping score for your team, your device’s approximate location is shared with the event organizer during the round so they can see team positions on their live course map. Only the latest position per team is kept (no location history), and it is deleted when the team or tournament is deleted. Granting location access is optional and can be declined.
- Photos: where the organizer enables it, players may upload team or event photos, which are stored with the tournament and shown to that tournament’s participants and organizer.
- Messages: messages sent between the organizer and teams through the app (e.g. announcements, pace-of-play notes) are stored with the tournament.
- Post-round feedback: after a round, golfers may optionally submit written feedback about their experience. The form also offers an optional email field — if provided, that address is used only to contact monthly gift-card drawing winners (opt-in). Feedback and any associated email are retained for 365 days, then automatically deleted.
- Hole sponsors: sponsor name and a contact email (used to send the sponsor a portal invitation), plus any ad content the sponsor or organizer provides. Sponsors access their portal with an access code; no account is created.
- Usage data: standard server logs (IP address, browser type, timestamps) for security and performance monitoring.
For California residents, the data above corresponds to these CCPA categories: identifiers (name, email, IP address), customer records (phone, company, shirt size), commercial information (registration and payment metadata), geolocation (optional, approximate), internet or network activity (server logs), and audio/visual data (uploaded photos). We do not sell or share any of these categories.
4. How we use your data
- To operate the tournament scoring and management service.
- To authenticate organizer accounts and protect against unauthorized access.
- To process payments for tournament registration fees (via Stripe).
- To generate leaderboards, scorecards, and audit trails for the tournament director.
- To show on-course distances and maps to golfers who enable location.
- To deliver transactional email such as invitations, registration confirmations, and password resets.
- To diagnose errors and improve service reliability (via Sentry error monitoring).
We do not sell personal data, and we do not share personal data for cross-context behavioral (targeted) advertising. We do not use player or organizer data for advertising.
5. Legal basis for processing (EU/UK)
Where the EU or UK GDPR applies, we rely on the following legal bases:
- Performance of a contract — to provide the service to organizers and run their tournaments.
- Legitimate interests — to keep the service secure, prevent fraud and abuse, monitor errors, and improve reliability.
- Consent — for optional features such as device location, which you can decline or withdraw at any time.
- Legal obligation — to meet tax, accounting, and record-keeping requirements.
6. Data retention
- Organizer account data — retained for the account lifecycle; deleted on account deletion (cascades to tournaments and related records).
- Registrant personal data (names, emails, team names, optional phone) — tournament duration plus up to 90 days post-event (organizer-controlled), or until earlier erasure (anonymized to
[erased]). - Player / score data — retained with the tournament until tournament deletion (cascade) or organizer erasure.
- Payment transaction metadata (Stripe IDs, amounts, item descriptions; no card data) — retained as financial/tax records; Stripe independently retains its own.
- Audit logs (
audit_events) — immutable, retained indefinitely; no raw PII. - Web vitals & command-metric samples — auto-pruned after 30 days (pg_cron).
- Rate-limit state — ephemeral.
- Application logs — DigitalOcean ~30 days; Sentry ~90 days (plan-dependent).
- Post-round feedback and any email address you optionally provide for the monthly gift-card drawing are retained for 365 days, then automatically deleted.
- We may retain limited data for longer where required by law (for example, tax records, fraud prevention, or a legal hold).
This matches the retention schedule in our Data Processing Agreement (§13.3).
7. Cookies and local storage
We use only strictly necessary cookies and browser storage to operate the service — primarily to keep you signed in and to secure authentication (session, sign-in, and passkey-challenge cookies). We do not use advertising, cross-site tracking, or analytics profiling cookies. Because these cookies are essential to the service, they are not used to build a marketing profile.
8. Data security
We maintain reasonable administrative, technical, and physical safeguards designed to protect personal data, including encryption in transit (TLS 1.2+) and at rest (AES-256, through our database provider Supabase), enforced access controls, row-level data isolation between organizers, and least-privilege access for our team. No method of transmission or storage is perfectly secure, but we work to protect your data and to limit who can access it. Where an organizer connects their own systems through our REST API, access uses OAuth 2.0 with short-lived, scoped, revocable tokens and is limited to that organizer’s own data. For more detail, see our Security & Trust overview.
9. Sub-processors and third parties
We use the following third-party services to operate ScrambleSync. Each is bound by their own privacy commitments:
- Supabase, Inc. — database, authentication, and file storage (United States)
- DigitalOcean, LLC — application hosting and compute (United States)
- Stripe, Inc. — payment processing (United States)
- Cloudflare, Inc. — content delivery and DDoS protection (United States / global)
- Resend (Plus Five Five, Inc.) — transactional email delivery (United States)
- Sentry (Functional Software, Inc.) — error monitoring (United States)
- Upstash, Inc. — rate-limiting infrastructure; stores only short-lived request counts keyed to IP address, with no durable personal data (United States)
- Anthropic, PBC — powers the optional Scramble AI assistant (off by default; only when enabled and in use); your inputs and outputs are not used to train AI models. See AI & Your Data (United States)
- Apple (MapKit) — satellite and map imagery for on-course hole maps and the live field map; receives map-tile/region requests, not personal data. The admin customer map additionally uses OpenFreeMap / OpenStreetMap tiles.
We also retrieve non-personal course reference data (hole layouts, par, yardage) from a third-party golf course data provider; no personal data is shared with it.
10. International data transfers
Our sub-processors are located in the United States, and personal data is processed there. If you are located in the EU, UK, or another region with data-transfer rules, transfers of your personal data rely on appropriate safeguards, including Standard Contractual Clauses. See our SCC & international data transfer page for details.
11. Children’s privacy
ScrambleSync is intended for tournament organizers and adult participants and is not directed to children under 13. We do not knowingly collect personal data from children. Where a minor participates in a tournament, any information about them is entered by the organizer running that event. If you believe a child’s data has been provided to us, contact us at the address below and we will delete it.
12. Your privacy rights
Subject to your local law, you may request to access, correct, or delete your personal data, obtain a portable copy of it, and object to or restrict certain processing. We will not discriminate against you for exercising these rights.
Depending on where you live, you may have additional rights. Residents of U.S. states with comprehensive privacy laws — including California (CCPA/CPRA), Colorado, Connecticut, Texas, Virginia, Oregon, Montana, and Utah, among others — generally have the right to confirm and access their data, correct it, delete it, obtain a portable copy, and opt out of the sale of personal data, targeted advertising, and certain profiling. Residents of the EU and UK have rights under the GDPR/UK GDPR.
Do Not Sell or Share / opt-out signals. As noted above, we do not sell personal data and do not share it for cross-context behavioral advertising. Because we do not, opt-out preference signals such as Global Privacy Control (GPC) do not change how we process your data.
Sensitive information. Some U.S. state laws treat precise geolocation as “sensitive personal information.” The only location we collect is the optional, approximate position a scorekeeper shares so their organizer can see live team positions during the round. It is opt-in, used only for that purpose, never used for advertising, profiling, or inferences, and you can decline it or stop sharing at any time.
To exercise any right, email [email protected]. We will verify your request and respond within 45 days (or sooner where your law requires). If we deny your request, you may appeal by replying to our decision or emailing [email protected] with “Appeal” in the subject line; we will respond to appeals within 45 days. You may also contact your state Attorney General if you have unresolved concerns. For player data tied to a specific tournament, the organizer is the controller — see section 2 above.
13. Automated decision-making
We do not use automated decision-making or profiling that produces legal or similarly significant effects about you.
14. Data breach notification
If a security incident affects your personal data, we will notify affected users and the applicable regulators without undue delay, as required by law.
15. Changes to this policy
We may update this policy from time to time. Material changes will be posted on this page with a revised effective date and, where required, communicated to account holders. Your continued use of ScrambleSync after an update takes effect constitutes acceptance of the revised policy.
16. Full privacy & security documentation
For our complete corporate privacy and security documentation, please visit: CoyoteValleyTech.com Privacy & Security.
17. Governing law
This Privacy Policy, and any dispute relating to it or to your use of ScrambleSync, is governed by the laws of the State of Utah, USA, without regard to its conflict-of-laws principles. The exclusive venue for any such dispute is the state and federal courts located in the State of Utah, and you consent to the personal jurisdiction of those courts. Nothing in this section limits any non-waivable rights you may have under the privacy laws of your state or country of residence.
18. Contact
Questions about this policy: [email protected]
Data controller of record for this site: Coyote Valley Technology Solutions, LLC (a Utah limited liability company), 9011 N Clubhouse Lane, Eagle Mountain, UT 84005, USA.