Privacy Policy

Cuppacard Ltd is the data controller for personal data collected through the BookMyBays platform at bookmybays.com.

If you are a Customer who has made a booking with a golf venue through BookMyBays, that Venue is also a data controller for your booking information. Please refer to the Venue's own privacy policy for details of how they use your data.

For any privacy-related queries, contact us at: [email protected]

Venue account holders:

• Name, email address, and phone number
• Business name, address, and contact details
• Billing information (processed and held by Stripe — we do not store card details)
• Usage data: pages visited, features used, login times
• Communications with our support team

Customers making bookings:

• Name and email address
• Phone number (if provided)
• Booking details: date, time, bay, duration, and amount paid
• Payment confirmation reference (not card details)

Website visitors:

• Technical data such as IP address, browser type, and referring URL collected via analytics

We use the data we collect to:

• Create and manage your account
• Process bookings and payments
• Send booking confirmations and reminders
• Provide customer support
• Improve the Platform and fix technical issues
• Send product updates and service communications (you can opt out of marketing emails at any time)
• Comply with legal and regulatory obligations

Under UK GDPR, we rely on the following legal bases:

• Contract performance — processing necessary to provide the service you've signed up for
• Legitimate interests — improving the Platform, preventing fraud, ensuring security
• Legal obligation — where we must retain data to comply with law (e.g. financial records)
• Consent — for optional marketing communications, which you can withdraw at any time

We do not sell your personal data. We share it only where necessary:

• Stripe — to process payments securely. Stripe's privacy policy applies to data they hold.
• Supabase — our database and authentication infrastructure provider.
• Vercel — our hosting provider; your data may transit through their infrastructure.
• Venues — Customer booking data is accessible to the Venue you booked with.
• Legal authorities — where we are required to disclose data by law or court order.

All third-party providers are contractually required to handle data securely and only for the purposes we specify.

Some of the third-party providers we use (including Stripe, Supabase, and Vercel) operate infrastructure outside the United Kingdom — typically within the European Economic Area (EEA) and the United States. This means your personal data may be transferred to, stored in, or accessed from countries outside the UK.

Where we transfer personal data to a country that has not been deemed by the UK Government to provide an adequate level of protection, we put in place appropriate safeguards as required by Article 46 of the UK GDPR, which include:

• The UK Government's International Data Transfer Agreement (IDTA), or
• The European Commission's Standard Contractual Clauses together with the UK Addendum issued by the Information Commissioner's Office.

You can request a copy of the relevant transfer mechanism by emailing [email protected].

We retain personal data for as long as necessary to provide the service and meet our legal obligations:

• Venue account data — retained for the duration of your account plus 2 years after closure
• Booking records — retained for 7 years for financial/legal compliance purposes
• Marketing preferences — until you unsubscribe or withdraw consent
• Website analytics — aggregated and anonymised after 26 months

Under UK GDPR you have the right to:

• Access — request a copy of the personal data we hold about you
• Rectification — ask us to correct inaccurate or incomplete data
• Erasure — request deletion of your data where we no longer have a lawful reason to hold it
• Restriction — ask us to pause processing in certain circumstances
• Portability — receive your data in a machine-readable format
• Object — object to processing based on legitimate interests or for direct marketing
• Withdraw consent — where processing is based on consent, you can withdraw it at any time

To exercise any of these rights, email us at [email protected]. We will respond within one calendar month.

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

BookMyBays uses cookies and similar technologies to keep you signed in, remember your preferences, and improve the Platform.

• Essential cookies — required for authentication and session management. Cannot be disabled.
• Preference cookies — store your theme preference (light/dark mode).
• Analytics cookies — help us understand how the Platform is used, anonymised where possible.

We do not load analytics or other non-essential cookies until you give consent via our cookie banner. You can change or withdraw your consent at any time by clearing your cookie preference and reloading the page, or via your browser settings. Disabling essential cookies will prevent you from signing in.

We take reasonable technical and organisational measures to protect personal data against unauthorised access, loss, or disclosure. These include encrypted connections (HTTPS), access controls, and secure third-party infrastructure.

No system is completely secure. While we take data security seriously, we cannot guarantee that our systems, or those of our third-party providers (including Stripe, Supabase, and Vercel), will be entirely free from security breaches, unauthorised access, or data loss. To the fullest extent permitted by law, we will not be liable for any loss or damage arising from a security breach or data incident that occurs despite reasonable security measures being in place, or that results from circumstances beyond our reasonable control.

If you suspect a security issue, please contact us immediately at [email protected].

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or via the Platform. The “last updated” date at the top of this page indicates when it was last revised.