Privacy Policy

1. Introduction & Who We Are

On The Box Golf ("On The Box," "we," "us," or "our") operates ontheboxgolf.com, a private fantasy golf tournament platform. We provide tools for league administrators to host skill-based fantasy golf contests, and for participants to join those leagues via invite code, make weekly golfer picks, and compete based on real PGA Tour purse earnings.

This Privacy Policy explains what personal information we collect, how we use it, who we share it with, and your rights regarding that information. By creating an account or using our platform, you agree to the practices described in this policy.

If you have questions, contact us at hello@ontheboxgolf.com.

2. Information We Collect

We collect the following categories of information:

Account Data

• Full name and display name
• Email address
• Password (stored as a one-way hash — we never store your plain-text password)
• State of residence (collected for eligibility verification)
• Date of birth or age confirmation (18+ verification)

Usage Data

• Golfer picks, league participation history, and scoring data
• Pages visited, features used, and time spent on the platform
• Log data including timestamps and actions taken

Payment Data

On The Box Golf does not store payment card numbers, bank details, or full payment credentials. All payment processing is handled by Stripe (PCI DSS Level 1 certified). We receive only a transaction confirmation and a Stripe customer ID.

Device & Technical Data

• IP address
• Browser type and version
• Device type and operating system
• Referral URLs

3. How We Use Your Information

We use the information we collect to:

• Create and manage your account
• Operate the fantasy golf platform, including pick processing and leaderboard scoring
• Verify that you meet the age requirement (18+)
• Process platform fee payments through Stripe
• Send transactional emails (account confirmation, pick reminders, results) via Resend
• Respond to support requests
• Detect and prevent fraud, abuse, or unauthorized access
• Improve platform performance and user experience

We do not use your information for advertising. We do not sell your data to third parties.

4. Legal Basis for Processing (CCPA / GDPR)

For users in California (CCPA) and the European Economic Area (GDPR), our legal bases for processing personal data are:

• Contractual necessity — processing required to provide the platform services you signed up for
• Legitimate interests — fraud prevention, security monitoring, and platform improvement
• Legal obligation — retaining transaction records as required by applicable law
• Consent — for optional communications (you may opt out at any time)

5. Data Sharing & Third Parties

We share data only with the following service providers, solely to operate the platform:

Supabase (supabase.com)

Our database and authentication infrastructure. User data is stored in a PostgreSQL database hosted by Supabase with Row Level Security enabled, meaning each user can only access their own data. Supabase processes data on our behalf under a Data Processing Agreement.

Stripe (stripe.com)

Payment processing for platform fees. Stripe is PCI DSS Level 1 certified. When you pay, you interact directly with Stripe's secure payment interface. On The Box Golf does not receive or store your full payment card information.

Resend (resend.com)

Transactional email delivery. We use Resend to send account confirmation emails, pick deadline reminders, and results notifications from hello@ontheboxgolf.com. Resend processes your email address to deliver these messages.

We do not sell, rent, or share your personal information with advertisers, data brokers, or any third party for their own marketing purposes.

We may disclose information if required by law, court order, or to protect the rights and safety of On The Box Golf or its users.

6. Age Requirement

On The Box Golf is intended for users who are 18 years of age or older. We do not knowingly collect personal information from individuals under 18. Age confirmation is required during registration.

If we become aware that a user under 18 has created an account, we will promptly delete their account and associated data. If you believe a minor has registered, please contact us at hello@ontheboxgolf.com.

7. Data Retention

We retain your personal data for as long as your account is active or as needed to provide services. Specifically:

• Account data is retained for the duration of your account and for a reasonable period after deletion to resolve disputes or comply with legal obligations
• Transaction and payment records are retained for a minimum of five (5) years in accordance with applicable financial record-keeping requirements
• Usage and log data is retained for up to 12 months, unless required longer for security or legal purposes

To request deletion of your account and associated data, contact hello@ontheboxgolf.com. Note that transaction records may be retained beyond account deletion as required by law.

8. Your Rights & Choices

Depending on your location, you may have the following rights regarding your personal data:

All Users

• Access — request a copy of the personal data we hold about you
• Correction — request that we correct inaccurate or incomplete information
• Deletion — request deletion of your account and personal data (subject to retention requirements)
• Opt-out — unsubscribe from non-essential emails at any time via the unsubscribe link in any email

California Residents (CCPA)

California residents have additional rights under the California Consumer Privacy Act, including the right to know what personal information is collected and sold, the right to opt out of the sale of personal information (we do not sell personal information), and the right to non-discrimination for exercising these rights.

To submit a rights request, email hello@ontheboxgolf.com with the subject line "Privacy Request." We will respond within 45 days.

9. Cookies & Tracking

On The Box Golf uses cookies and similar technologies to operate the platform. These include:

• Authentication cookies — required to keep you logged in during your session (essential; cannot be disabled)
• Preference cookies — remember your settings and display preferences
• Analytics cookies — help us understand how the platform is used so we can improve it

We do not use third-party advertising cookies or track users across other websites.

You can control cookie settings through your browser. Disabling essential cookies may prevent you from logging in or using core platform features.

10. Security Practices

We take reasonable technical and organizational measures to protect your personal information, including:

• All data transmitted between your browser and our platform is encrypted using HTTPS (TLS)
• Passwords are stored using one-way cryptographic hashing — we cannot recover your password
• Database access is protected by Row Level Security, ensuring users cannot access other users' data
• Payment data is handled exclusively by Stripe under PCI DSS Level 1 standards
• Access to production systems is restricted to authorized personnel

No method of transmission or storage is 100% secure. In the event of a data breach that affects your rights, we will notify you as required by applicable law.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the effective date at the top of this page. For material changes, we will notify you by email or by posting a prominent notice on the platform.

Your continued use of On The Box Golf after changes are posted constitutes acceptance of the updated policy.

12. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

On The Box Golf
Email: hello@ontheboxgolf.com
Website: ontheboxgolf.com