We collect almost nothing
Privacy policy.
OpenGolfAPI is run by one person on a tight budget. We don't need your data to make money, so we don't take it.
Last updated: 2026-05-03
The receipts
What we collect.
When you visit any page. Standard server logs: your IP address, User-Agent string, the path you requested, and a timestamp. Retained for 30 days, then deleted.
When you sign up for an API key. Your email address, plus an optional name and project name if you give them.
When you submit an edit or claim a course. Whatever email and name you put in the form.
When you donate via Open Collective. Open Collective handles the payment flow. We don't see your card. If we ever wire up the donor webhook, we'll receive only your name, email, and pledge amount — no payment instrument data, ever.
The list of nopes
What we don’t collect.
- No tracking pixels.
- No third-party analytics — no Google Analytics, no PostHog, no Mixpanel.
- No behavioral or advertising cookies.
- No cross-site tracking, no fingerprinting, no session replay.
Why we have it
How we use it.
- IP addresses — to enforce per-IP rate limits on the anonymous tier.
- Email (key) — to send you your key, and to email you about breaking changes. That's it. No newsletter, no marketing.
- Email (edit / claim) — to email you when your submission is reviewed, accepted, or rejected.
Who else sees it
Sharing.
We don't sell your data. We don't share it with advertisers. We don't share it with anyone, period — except the subprocessors below who need it to run the service.
Our vendors
Subprocessors.
| Provider | Region | What they do |
|---|---|---|
| Supabase | US / EU | Database hosting (Postgres + auth) |
| Cloudflare | Global | CDN, DNS, Workers (the API runs here) |
| Vercel | US | Next.js app hosting (this site) |
| Resend | US | Transactional email delivery |
| Anthropic | US | AI verification of edit submissions (sees the edit text and course context, never your personal data) |
Cloudflare and Vercel see request metadata (IP, headers, path) as a side effect of serving you. That's normal CDN/hosting behavior; we don't pull additional analytics out of either platform.
EU residents
GDPR rights.
If you're in the EU/EEA, you have the right to access, correct, delete, port, or restrict processing of your personal data, and to object to processing. Email hello@opengolfapi.org and we'll respond within 30 days.
The legal basis for what little processing we do is legitimate interest (operating a free public-interest dataset and protecting it from abuse), and consent (when you give us your email for a key or an edit).
California residents
CCPA / CPRA.
California residents have substantially the same rights — access, deletion, correction, and the right to know. Same email, same turnaround. We do not “sell” or “share” personal information as those terms are defined under the CCPA.
How long we keep things
Retention.
- API key signups: until you ask us to delete them, or 5 years of inactivity — whichever comes first.
- Edit submissions: indefinitely. Edits become part of the open ODbL dataset and can't be retroactively unpublished without rewriting history. We'll honor a deletion request for your contact info, but the edited fact stays in the dataset.
- Server logs: 30 days, then deleted.
What’s in your browser
Cookies.
We use one cookie: an authentication cookie set when you log in to /admin. Admin is staff-only; if you're not Julian, you don't have one. We don't use any other cookies.
Not a kids’ site
Children.
OpenGolfAPI is not designed for children under 16, and we don't knowingly collect personal information from them. If you believe a minor has given us their email, write to hello@opengolfapi.org and we'll delete it.
One inbox
Contact.
All privacy requests, GDPR or CCPA inquiries, deletion requests, or general “what do you have on me” questions go to hello@opengolfapi.org.