Privacy Policy
Last updated: 22 May 2026
This Privacy Policy explains how [nooQ Golf Ltd] ("nooQ Golf", "we", "us", "our") collects, uses,
shares and protects personal data when you visit nooqgolf.com, use any nooQ-powered club website or app, or otherwise interact with the nooQ Golf platform (the
"Service").
We are the data controller for personal data we collect through our own marketing website (nooqgolf.com). Where the Service is used by a golf club to manage its members,
the golf club is the data controller and nooQ Golf acts as the data processor on its behalf, under a separate Data Processing Agreement.
If you have any questions, contact us at privacy@nooqgolf.com.
1. Who we are
[nooQ Golf Ltd], a company registered in [Scotland] under company number [COMPANY NUMBER], registered office at [REGISTERED ADDRESS].
We are registered with the UK Information Commissioner's Office (ICO) under registration number [ICO REGISTRATION NUMBER].
2. What this policy covers
This policy covers:
- The nooQ Golf marketing site at
nooqgolf.com - The nooQ Golf admin and CMS at
*.nooqgolf.comsubdomains - Public club websites built on the nooQ Golf platform (
*.nooqgolf.comand custom club domains) - The nooQ Golf mobile app and APIs
- Integrations with TikTok, Facebook (Meta), Instagram (Meta), Stripe, and golf-management suppliers (Golf Genius, ClubV1, HowDidiDo)
3. Personal data we collect
3.1 Information you give us
- Account details — name, email address, password, role at your club
- Profile details — handicap, club membership status, contact preferences
- Booking and competition data — tee times, lesson bookings, competition entries and scores
- Payments — card details are submitted directly to Stripe; we receive only a token and the last four digits
- Communications — emails, support tickets, AI-chat messages you send us
3.2 Information we collect automatically
- Device and connection data — IP address, browser type, operating system, referring page
- Usage data — pages viewed, actions taken, timestamps
- Application logs — error reports and diagnostic information needed to operate the Service securely
3.3 Information from third parties
- Golf-management suppliers — where your club has authorised it, we receive tee-sheet, competition, handicap and member-roster data from Golf Genius, ClubV1, HowDidiDo and similar providers
- Social-media platforms — where a club has connected its TikTok, Facebook Page or Instagram Business account, we receive that account's profile and recent post metadata (detailed in section 5)
- Payment provider — Stripe sends us payment status, dispute notifications and minimal card metadata
4. Analytics — Umami
We use Umami for website analytics on nooqgolf.com and on nooQ-powered club websites. Umami is a privacy-first, cookieless analytics tool
that we self-host on our own infrastructure in [the United Kingdom / EEA]. Umami:
- Does not set tracking cookies
- Does not collect personally identifying information
- Does not share data with any third party
- Does not use your data for advertising or profiling
What Umami records is limited to: anonymised, aggregated page views, referrer, browser type, operating system, device type, screen size and approximate country. IP addresses are processed transiently to derive country only and are not stored.
Because Umami is cookieless and collects no personal data, we do not show a cookie banner for analytics on nooQ-controlled pages. You do not need to opt out.
We do not use Google Analytics, Meta Pixel, TikTok Pixel, or any third-party advertising or tracking pixel on nooqgolf.com.
5. Social-media integrations
A connected golf club can link its own TikTok, Facebook Page or Instagram Business account so that its own recent posts appear in a "Social Feed" block on its club website. These integrations are read-only. We never post, comment, like, follow, or send messages on a connected account.
5.1 TikTok
When a club admin connects a TikTok account via TikTok Login Kit, we receive and store:
- An access token and refresh token issued by TikTok (AES-256 encrypted at rest)
- The account's
open_id,display_name, andavatar_url(scopeuser.info.basic) — used to show "Connected as @handle" in the CMS so the admin can verify the right account is linked
Every 5 minutes a background job fetches the connected account's recent videos (scope video.list) and reads only:
- Video ID, title, cover image URL, share URL, creation time, like / comment / view counts
This metadata is cached against the club's tenant record and rendered on the club's public website as cards that link out to tiktok.com for playback. We do not store the video files themselves and we do not show one club's TikTok content on a different club's website.
A club admin can disconnect TikTok at any time from the CMS. Disconnecting revokes and deletes the stored tokens and purges the cached video metadata.
Use of TikTok data is also governed by TikTok's Privacy Policy.
5.2 Facebook (Meta)
When a club admin connects a Facebook Page via Meta Login, we receive and store:
- A long-lived Page access token (AES-256 encrypted at rest)
- The Page ID, name and avatar — used to show "Connected as {page name}" in the CMS
We then fetch the Page's recent public posts (scopes pages_read_engagement and pages_read_user_content) and read only:
- Post ID, message text, full picture URL, attachment media, permalink, creation time, like and comment counts
This metadata is cached against the club's tenant record and rendered on the club's public website. We do not access private messages, friends lists, or personal profile data, and we do not post on the Page.
Disconnecting Facebook in the CMS revokes the token and purges cached posts.
Use of Facebook data is also governed by Meta's Privacy Policy.
5.3 Instagram (Meta)
When a club admin connects an Instagram Business account via Meta Login, we receive and store:
- A long-lived access token (AES-256 encrypted at rest)
- The Instagram Business account ID, username, and profile picture URL — used to show "Connected as @handle" in the CMS
We then fetch the account's recent media (scope instagram_basic and instagram_manage_insights where required) and read only:
- Media ID, caption, media URL, permalink, timestamp, like and comment counts
This metadata is cached against the club's tenant record and rendered on the club's public website. We do not access direct messages, follower lists, or stories beyond what the Graph API exposes for embedding.
Disconnecting Instagram in the CMS revokes the token and purges cached posts.
Use of Instagram data is also governed by Meta's Privacy Policy.
6. Why we use your data (lawful bases)
| Purpose | Lawful basis (UK GDPR Art. 6) |
|---|---|
| Provide the Service you or your club have asked for | Contract |
| Process bookings, competitions and payments | Contract |
| Send service-related emails (booking confirmations, password resets) | Contract |
| Secure the Service and prevent abuse | Legitimate interests |
| Cookieless analytics via Umami | Legitimate interests |
| Marketing emails about nooQ Golf to club staff | Legitimate interests (B2B), with opt-out in every email |
| Marketing emails to consumers | Consent |
| Comply with legal obligations | Legal obligation |
7. Who we share data with
We share personal data only with:
- Your golf club — for data you submit through a club's tenant
- Sub-processors acting on our instructions — primarily our hosting provider ([Linode / Akamai], UK / EU regions) and our transactional-email provider ([provider name])
- Stripe — for payment processing
- Golf-management suppliers (Golf Genius, ClubV1, HowDidiDo) — only where your club has authorised an integration
- TikTok and Meta — only to the extent inherent in calling their APIs on a connected club account's behalf
- Authorities — where we are legally required to disclose
We do not sell personal data. We do not share personal data with advertising networks.
A current list of sub-processors is available on request from privacy@nooqgolf.com.
8. International transfers
Our primary hosting is in the United Kingdom and / or European Economic Area. Where a sub-processor is outside the UK / EEA (for example Stripe, TikTok, Meta), transfers are protected by the UK International Data Transfer Agreement, the EU Standard Contractual Clauses, or an applicable adequacy decision.
9. How long we keep data
| Data | Retention |
|---|---|
| Account and profile data | While your account is active, then deleted within 90 days of closure |
| Booking and competition records | 7 years (for tax and audit purposes), then deleted |
| Payment records | 7 years (UK tax-record requirement) |
| Social-media tokens | Until you disconnect the account, then deleted within 24 hours |
| Cached social-media posts | Until you disconnect the account, then purged within 24 hours |
| Umami analytics | Aggregated only; retained for 24 months |
| Application logs | 30 days by default |
| Backups | Up to 35 days rolling, after which superseded |
Where a club ends its subscription, we make a reasonable effort to allow the club to export its data before deletion.
10. Your rights
Under UK GDPR you have the right to:
- Access the personal data we hold about you
- Rectify inaccurate data
- Erase your data ("right to be forgotten"), subject to legal-retention obligations
- Restrict processing in certain circumstances
- Object to processing based on legitimate interests
- Data portability — receive a copy of your data in a structured format
- Withdraw consent at any time, where processing is based on consent
To exercise any of these rights, email privacy@nooqgolf.com. We respond within one month.
If you are unhappy with how we have handled your data, you can complain to the UK Information Commissioner's Office at https://ico.org.uk/ or 0303 123 1113. We would appreciate the chance to address your concerns directly first.
11. Cookies and similar technologies
nooqgolf.com and nooQ-powered club websites use:
- Strictly necessary cookies — session cookies that keep you logged in and protect against CSRF. These do not require consent.
- No analytics cookies — Umami is cookieless (see section 4).
- No advertising or tracking cookies — we do not run any.
Where a club website embeds third-party content (for example a TikTok video card or a Google Maps frame), that third party may set its own cookies when you interact with the embed. We provide a separate cookie notice on club websites where embeds are used.
12. Security
We protect personal data with:
- TLS 1.2+ for all transport
- AES-256 encryption at rest for sensitive tokens (including social-media tokens)
- Role-based access control internally with audited admin actions
- Regular backups with restricted access
- Monitored infrastructure and prompt patching
No system is perfectly secure. If we become aware of a breach affecting your personal data, we will notify the ICO within 72 hours where required and notify affected individuals without undue delay where the risk is high.
13. Children
The Service is not directed at children under 16. We do not knowingly collect personal data from children under 16 except where a parent or guardian has consented and where the club has a legitimate basis (for example a junior membership). If you believe we hold data about a child without proper consent, contact privacy@nooqgolf.com and we will delete it.
14. Changes to this policy
We may update this policy from time to time. Material changes will be communicated by email or via an in-product notice at least 14 days before they take effect. The "Last updated" date at the top of this page always reflects the current version.
15. Contact
[nooQ Golf Ltd]
[REGISTERED ADDRESS]
Data protection enquiries: privacy@nooqgolf.com
General enquiries: support@nooqgolf.com
Postal: [REGISTERED ADDRESS]