Privacy Policy

Last updated: 2026-05-17

Mabuhay Golf (“we”, “us”, “the App”) values your privacy. This policy explains what data we collect, why we collect it, how we use and protect it, and the rights you have over your data. It applies to use of our mobile apps (iOS / Android), web app and marketing site at mabuhaygolf.com.

1. Data we collect

• Account data: email or phone, password hash, OAuth provider IDs (Apple / Google / Facebook), locale, country.
• Player profile: nickname, avatar, handicap, gender (optional), home courses.
• Caddy profile: real name, government ID type and number, ID-document images, selfie holding ID, languages spoken. Used solely for KYC review and compliance.
• Booking and match data: tee-time bookings, caddy bookings, match scorecards, friend relationships, posts, tips and comments.
• Payment data: order amount, currency, payment provider (Stripe / Apple IAP / Google Play), payment-intent IDs. We never see or store your card number — it is handled by Stripe / the platform store.
• Device data: device model, OS version, push token (FCM / APNs), app version. Coarse-grained analytics via Sentry.
• Location: only when you grant permission, used to find nearby courses. Coordinates are not stored long-term beyond the session.

2. How we use it

• To run the service: matching caddies to players, processing bookings and payments, scoring matches.
• To meet legal obligations: KYC review for caddies, anti-fraud, tax records, dispute resolution.
• To improve the product: aggregated, anonymised usage analysis.
• To communicate: order receipts, booking reminders, match invites, security alerts. We do not use your data for third-party advertising.

3. Sharing and processors

We disclose data only to the following categories of recipients, under data-processing agreements:

• Payment processors (Stripe, Apple, Google) — to process payments.
• Cloud infrastructure (Aliyun) — to host servers, databases and file storage.
• Push delivery (Firebase Cloud Messaging) — to send notifications.
• Error monitoring (Sentry) — to detect and diagnose crashes; pseudonymised user IDs only.
• Map services (Google Maps / OpenStreetMap) — to display course locations.
• Lawful requests — when we are legally required (Philippine DOJ, court order). We push back on overbroad requests.

We do not sell your personal data, and we do not share it with data brokers or ad networks.

4. Retention

Account data is retained while your account is active. After you request deletion (Settings → Delete Account), your account is soft-deleted for 30 days (during which you may recover it via support), then permanently erased. Tax and payment records that we are legally required to retain (typically 5–7 years) are kept in a separate, restricted database with personally identifying fields removed where possible.

5. Your rights

Under GDPR (if you are in the EU/EEA), PDPA (Philippines, Data Privacy Act of 2012) and CCPA (California), you have the right to:

• Access & export — download a JSON snapshot of all data we hold about you. In the mobile app: Settings → 导出我的数据.
• Correct — edit your profile in the app, or email us for fields you cannot edit yourself.
• Delete — request permanent deletion. In the mobile app: Settings → 注销账号.
• Object & restrict — opt out of non-essential processing such as analytics.
• Withdraw consent — for marketing emails / push, you can opt out in Settings at any time.
• Complain — to your local supervisory authority (e.g. NPC in the Philippines, ICO in the UK, your DPA in the EU).

We typically respond within 30 days. To exercise these rights, contact [email protected].

6. Security

We use TLS for data in transit, encryption at rest for caddy ID-documents, scoped access control on our cloud provider, role-based access control for admin staff, and audit logging of all admin actions. No system is perfectly secure — please report vulnerabilities to [email protected].

7. International transfers

Our servers are in Hong Kong (Aliyun International). If you access the service from outside Hong Kong, your data may be transferred to a region with different data-protection rules. By using the service you consent to this transfer; we apply contractual safeguards equivalent to your home jurisdiction’s standard.

8. Children

The service is not directed at children under 14. If you believe a child has signed up, contact us and we will delete the account.

9. Changes

We may update this policy. Material changes will be announced via in-app notification and email at least 14 days before they take effect.

10. Contact

Mabuhay Golf · [email protected]