TeeTime

Your location

Set your location to sort courses by distance. Your location stays on this device — it is never sent to our server.

Policy · v1

Privacy Policy

Effective 16 May 2026 · What we collect, why, and your rights under UK GDPR.

This Privacy Policy explains how Bednal Limited (company number 12582198, registered in England and Wales) ("we", "us", "our") collects, uses, and protects your personal data when you use tee-time.uk and related services (the "Service"). We are committed to complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

This Policy should be read alongside our Terms & Conditions and our Acceptable Use Policy.

1. Who we are and the data controller

Bednal Limited (company number 12582198), registered in England and Wales at Unit 4 Clifford Court, Cooper Way, Carlisle, England, CA3 0JG, is the data controller for personal data processed in connection with the Service. Our data protection contact is: admin@bednal.com.

2. What data we collect

We collect and process the following categories of personal data:

  1. Data you provide directly
    1. Identity data: your name, email address, and UK mobile phone number;
    2. Optional profile data: handicap, home club, profile photo;
    3. Authentication data: WebAuthn public-key credentials (passkeys) bound to your device; we never see or store the underlying private key or any password;
    4. User Content: reviews, social posts, comments, and any messages you submit through the Service.
  2. Data we collect automatically
    1. Booking activity: the courses, dates, and times you select; the outcome of each booking attempt (success, ambiguous, or one of several failure modes);
    2. Booking diagnostics: a BookingAttemptLog row per booking attempt that records the platform response shape (status code, latency, parsed confirmation reference where present) — this is our debugging lifeline when a third-party site changes shape;
    3. Technical data: IP address, user-agent string, device type, browser, and approximate region inferred from IP;
    4. Session data: a Better Auth session cookie tying your browser to your Account, plus small functional cookies (your theme preference, install-prompt suppression flag);
    5. Location data: if you grant the browser geolocation permission for the "near me" feature, we use your coordinates to sort courses by distance. Coordinates are not persisted to our database. They may transiently appear in standard hosting access logs (e.g. when sent as request parameters), which are retained for short, security-related periods only.
  3. Data from third parties
    1. If you sign in with Google, Google provides us with your email address and basic profile (name, profile picture URL) per your consent given at Google.
    2. If you sign in with Apple, Apple provides us with your email address and, where you choose to share it, your name. If you choose Apple's "Hide My Email" option, the address we receive is a private relay address ending @privaterelay.appleid.com. Apple forwards email sent to that address on to your real inbox; we never see your underlying email.

We do not intentionally collect special-category data (race, health, religion, political opinions, biometric data, etc.). If you choose to disclose such data in a review or social post, please be aware it becomes part of your User Content.

3. How we use your data

We process your personal data for the following purposes:

PurposeLegal basis under UK GDPR
To create and operate your AccountContractual necessity (Art. 6(1)(b))
To complete tee-time bookings on your behalf at third-party ClubsContractual necessity (Art. 6(1)(b))
To send you transactional emails (booking confirmations, security notices)Contractual necessity (Art. 6(1)(b))
To improve and debug the Service (e.g. BookingAttemptLog analysis)Legitimate interest (Art. 6(1)(f))
To prevent fraud, abuse, and to enforce our TermsLegitimate interest (Art. 6(1)(f))
To send marketing communications, where you have opted inConsent (Art. 6(1)(a))
To comply with legal obligations (e.g. responding to lawful requests)Legal obligation (Art. 6(1)(c))

Where we rely on legitimate interest, we have weighed those interests against your rights and freedoms and we believe our processing is proportionate. You can object at any time — see clause 8.

4. intelligentgolf guest accounts

To book at clubs that run on the intelligentgolf platform, the Service automatically creates a per-club guest account on your behalf the first time you book there. We generate a unique email address (of the form <your-user-id>+<course-slug>@<guest-domain>) and a random password. The password is encrypted at rest using AES-256-GCM with a key we control, and is only ever decrypted in memory during a booking attempt. The Club's intelligentgolf system stores the guest account on its own infrastructure; you can request deletion from the relevant Club separately.

5. Cookies and similar technologies

The Service uses the following cookies:

  1. Better Auth session cookie. Strictly necessary; identifies your authenticated session. Lifespan: 30 days, with sliding renewal.
  2. Theme cookie. Functional; stores your light / dark / system preference.
  3. Install-prompt suppression cookie. Functional; remembers that you have dismissed the "Add to Home Screen" prompt so we don't re-show it.

We do not currently use third-party analytics, advertising, or fingerprinting cookies. If that changes we will update this Policy and (if required) ask for your consent first.

6. Who we share your data with

We only share your personal data where it is necessary and lawful to do so. Our sub-processors include:

  1. Vercel Inc. — application hosting (functions, edge cache, blob storage). Data location: primarily UK / EU (lhr1).
  2. Neon Inc. — managed PostgreSQL database. Data location: eu-west-2 (London).
  3. Resend — transactional email delivery.
  4. Vercel Blob — storage of user-uploaded avatars.
  5. Web Push services (Apple Push, Firebase Cloud Messaging) — delivery of any push notifications you opt in to.
  6. Better Auth (open-source library) — runs in our infrastructure; not a separate processor.
  7. The booking platforms — at the moment you make a Booking, the Service submits the data the platform requires to complete a visitor booking on your behalf. Platforms currently in use: ClubV1, BRS Golf, intelligentgolf, Sahara, ESP/EliteLive, and Chronogolf. We share only what each platform requires (typically: name, email, phone, optionally handicap). Each platform applies its own privacy policy to that data.

We may also disclose personal data where required by law, by a court of competent jurisdiction, or to defend our legal rights.

7. International transfers

Some of our sub-processors operate outside the UK (notably Vercel and Resend, which are US-headquartered). Where personal data is transferred outside the UK, we rely on one or more of the following safeguards:

  1. UK adequacy decisions where they exist;
  2. Standard Contractual Clauses approved by the UK Information Commissioner ("ICO");
  3. The UK Addendum to EU Standard Contractual Clauses.

8. Data retention

  1. Account data is retained for as long as your Account is open. If you delete your Account, we delete or anonymise it within 90 days, except where law requires longer retention.
  2. Booking confirmations are retained for as long as your Account is open, then anonymised on deletion.
  3. BookingAttemptLog rows (debug data) are retained for 12 months and then deleted on a rolling basis.
  4. Cached availability data is ephemeral — it is overwritten on each refresh and contains no personal data.
  5. Encrypted intelligentgolf guest-account credentials (IGGuestAccount.passwordEnc) are retained for as long as your Account is open. On deletion they are removed; the corresponding guest account at the Club is not automatically deleted (you may need to request that from the Club).

9. Your rights

Under UK GDPR you have the following rights, exercisable at any time by contacting admin@bednal.com:

  1. Access — a copy of the personal data we hold about you;
  2. Rectification — correction of inaccurate or incomplete data;
  3. Erasure ("right to be forgotten") — deletion of your data, subject to lawful retention obligations;
  4. Portability — a machine-readable export of data you have provided;
  5. Restriction — restrict our processing in certain circumstances;
  6. Objection — object to processing based on legitimate interest, including for profiling;
  7. Withdraw consent — where processing relies on consent, withdraw it at any time;
  8. Complain to the ICO — you may lodge a complaint with the UK Information Commissioner's Office (https://ico.org.uk). We would, however, appreciate the chance to address your concern first.

We will respond to a rights request within one month, unless the request is complex or part of a series in which case we may extend by a further two months and tell you why.

10. Children

The Service is not intended for, and may not be used by, anyone under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at admin@bednal.com and we will delete it.

11. Security

  1. Authentication uses passkeys (WebAuthn) bound to your device's biometric or PIN. We do not store passwords for your Account, and we cannot see the private half of your passkey.
  2. Booking-hold tokens are HMAC-signed using a server-side secret so they cannot be tampered with by a client.
  3. Sensitive secrets (such as intelligentgolf guest-account passwords) are encrypted at rest using AES-256-GCM.
  4. All traffic to the Service is served over HTTPS.
  5. We follow the principle of least privilege for production access and apply security updates on a routine basis.

No system is perfectly secure. If you believe you have found a vulnerability in the Service, please contact us at admin@bednal.com and we will respond promptly.

12. Changes to this Policy

We may update this Policy from time to time. Material changes will be flagged on the Service before they take effect. The "Effective" date at the top of this page tells you when the current version began to apply.

13. Contact

If you have any question about this Privacy Policy or want to exercise any of your rights, please contact us at admin@bednal.com, or write to:

Bednal Limited (company number 12582198) Unit 4 Clifford Court, Cooper Way, Carlisle, England, CA3 0JG