Policies

SCRATCHED

May 2026
Effective May 18, 2026

Privacy Policy

Plain-English breakdown of what we collect, what we don't, and what you can do about it.

The short version

We collect the minimum data needed to run a golf review platform. Your email and a hashed password live with our auth provider. Your reviews, ratings, lists, and photos live with us so the app can show them to you and (if you opt in to a public profile) to other golfers. We use a privacy-friendly analytics tool only when you accept cookies, and we never sell your data.

What we collect

  • Account data: email address and a hashed password (handled by Supabase Auth, our identity provider).
  • Profile data: username, display name, bio, avatar URL, and a public/private flag, exactly what you put into your profile.
  • Activity data: golf courses you mark as played or want-to-play, rounds you log (date, score, rating, review text, tags, photos), lists you create, follows, likes, and comments.
  • Technical data: when you're signed in, your browser stores a session cookie so we know it's still you on the next request. We do not fingerprint your device.
  • Analytics (only if you accept cookies): page paths visited, anonymous interaction counts, and basic device/browser info. We use PostHog as our analytics processor. No session recording, no autocaptured form input, no third-party retargeting.

What we don't collect

  • No precise location data beyond what you explicitly enter (city/state) or what's attached to a course you logged.
  • No reading of your contacts, calendar, or other apps.
  • No data sold to advertisers, brokers, or third parties.
  • No tracking pixels from ad networks. If we add display ads in the future, this policy will be updated and you'll be re-prompted to consent.

Cookies and consent

On first visit you'll see a banner asking whether you accept cookies for analytics. If you decline (or ignore the banner), we never load our analytics SDK and never set its cookies. We do use a strictly-necessary session cookie when you sign in. That cookie cannot be declined because without it you can't be logged in.

You can change your mind any time by clearing your scratched_cookie_consent entry in your browser's local storage, the banner will reappear.

Who sees your data

  • Your reviews, rounds, and lists are visible to the public if your profile is set to public (the default). You can switch your profile to private in Settings, which hides your activity from non-logged-in viewers and other users.
  • Search engines (Google, etc.) may index your public profile and your public lists.
  • Our employees and contractors only access user data when necessary to fix a bug or moderate content.

Sub-processors

We rely on a handful of vendors to operate the service:

  • Supabase: database, authentication, file storage
  • Netlify: web hosting and CDN
  • PostHog: product analytics (only when you opt in)
  • OpenStreetMap / CARTO: map tiles

Your rights

You can export your data, change your profile fields, or deactivate your account from Settings. For full deletion of your account record (including auth credentials), email hello@scratched.io. We'll process the request within 30 days.

If you're in the EU, UK, or California, you have additional rights to access, port, correct, and delete personal data we hold about you. Email the same address and we'll route the request.

Children

scratched.io is not directed at children under 13. If you believe a minor has created an account, email us and we'll remove it.

Changes

We'll post changes here with an updated effective date. Material changes will re-prompt the cookie banner so you can re-consent.

Contact

Questions, requests, or complaints: hello@scratched.io.

Terms of Service →