Síðast uppfært · 2026-05-15
Privacy Policy
1. Who we are (data controller)
SKAFT. is an independent practice tracker for golfers, made and operated in Iceland by Viktor Tumi Valdimarsson (“we”, “us”, “SKAFT.”). SKAFT. is currently operated as a personal project and is not yet a registered company. If that changes in the future, this section will be updated to reflect the new legal entity, kennitala, and registered address.
Contact for privacy questions:
- Email: skaft@skaftgolf.com
- Instagram: @skaftgolf
For the purposes of GDPR (Reglugerð (ESB) 2016/679) and Lög um persónuvernd nr. 90/2018, Viktor Tumi Valdimarsson is the data controller of personal data you provide when using the SKAFT. mobile application. Kennitala available on request.
2. What personal data we collect
We collect only what is necessary to run the app and the subscription.
| Category | Examples | Source |
|---|---|---|
| Account | Email address, password (hashed by Supabase), user id (uuid), preferred language | You, at sign-up |
| Profile | Username, avatar image, golf handicap, leaderboard visibility, theme, unit system | You, in the app |
| Practice data | Sessions, drills logged, scores, drill notes, session notes, location type (indoor/outdoor), weather selections | You, when you log practice |
| User-authored drill content | Drill name, description, setup, instructions, optional photo or video | You, when you author a drill |
| Social | Friendships, competition memberships and standings | You + your friends |
| Subscription | Subscription tier (free/Pro), status (active/in_trial/cancelled/etc.), period end date, store (App Store/Play), product id | Apple, Google, RevenueCat (sub-processors) |
| Device / technical | App version, OS, error logs (only when something fails) | App, automatically |
We do not collect: precise location (GPS), advertising identifiers, contact list, microphone audio (except when you choose to film a drill video), camera roll (except when you pick an image), payment details (Apple/Google handle payment data; we never see your card information).
3. Why we use your data (legal basis)
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Providing the app’s core functionality (account, sessions, drills) | Performance of a contract (Art. 6(1)(b)) |
| Operating SKAFT. Pro subscription and billing | Performance of a contract (Art. 6(1)(b)) |
| Sending essential service emails (password reset, billing-issue notice) | Performance of a contract (Art. 6(1)(b)) |
| Cross-user features (leaderboards, friends, competitions) | Performance of a contract + your consent for public visibility (Art. 6(1)(a), revocable in Profile → Settings → Privacy) |
| Publishing a user-authored drill to the community library | Your explicit consent (Art. 6(1)(a)) given by toggling the drill to public; revocable any time by setting the drill private or deleting it |
| Translating user-authored drill content between Icelandic and English | Performance of a contract (Art. 6(1)(b)). See §4 for the AI sub-processor used |
| Diagnosing crashes and errors | Legitimate interest (Art. 6(1)(f)) |
| Complying with tax, accounting, and consumer-rights law | Legal obligation (Art. 6(1)(c)) |
We do not sell your personal data, use it for ad targeting, or train AI models on it. Drill text content sent to our translation sub-processor (see §4) is not used to train AI models, per that sub-processor’s API policy.
4. Who we share data with (sub-processors)
We use the following sub-processors. Each is bound by a data-processing agreement and an adequate cross-border transfer safeguard where applicable.
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase Inc. | Database, authentication, file storage, edge functions | EU / US (Standard Contractual Clauses) |
| RevenueCat Inc. | Subscription receipt validation and entitlement state | US (Standard Contractual Clauses) |
| Apple Inc. | App Store subscription billing, payment processing, App Store transactions | US (EU-US Data Privacy Framework) |
| Google LLC | Google Play subscription billing, payment processing | US (EU-US Data Privacy Framework) |
| Expo, Inc. | App build and over-the-air update delivery | US (Standard Contractual Clauses) |
| Anthropic, PBC | Translation of user-authored drill text content between Icelandic and English, via the Claude API. Anthropic’s API policy states that customer input is not used to train Anthropic’s models. | US (Standard Contractual Clauses) |
| Netlify, Inc. | Hosting of the marketing website at skaftgolf.com | US (Standard Contractual Clauses) |
| Web3Forms | Receiving messages submitted through the contact form on skaftgolf.com and forwarding them to skaft@skaftgolf.com | EU |
We may add or change sub-processors. Material changes will be notified at least 30 days in advance via email or in-app notice.
We do not transfer data outside the EEA except through the sub-processors above, each of which provides adequate safeguards under GDPR Chapter V (Standard Contractual Clauses).
5. How long we keep your data
- Account, profile, practice data · for as long as your account is active.
- Subscription records · for 7 years after the last invoice, as required by Icelandic accounting / tax law (Lög um bókhald nr. 145/1994).
- Server logs and error traces · typically 30 days.
- Deleted-account residuals · when you delete your account, personal data is removed within 30 days. Anonymous aggregates (e.g. peer averages used in comparison rows) may persist with no link back to you.
6. Your rights
Under GDPR and Lög um persónuvernd nr. 90/2018 you have the right to:
- Access the personal data we hold about you (Art. 15)
- Rectification of inaccurate data (Art. 16)
- Erasure (“right to be forgotten”, Art. 17)
- Restriction of processing (Art. 18)
- Data portability · receive your data in machine-readable form (Art. 20)
- Object to processing based on legitimate interest (Art. 21)
- Withdraw consent at any time (does not affect processing already done)
- Lodge a complaint with the supervisory authority
To exercise these rights, contact skaft@skaftgolf.com. We respond within 30 days as required by Art. 12. You can also export your sessions to PDF from Profile → Export sessions, and delete your account from Profile → Settings → Delete account, which removes your personal data within 30 days.
Icelandic supervisory authority: Persónuvernd (Data Protection Authority of Iceland) Rauðarárstígur 10, 105 Reykjavík personuvernd.is · phone: +354 510 9600
7. Children
SKAFT. is not directed to children under 13. We do not knowingly collect or process the personal data of children under 13. If you become aware that a child under 13 has provided us with personal data, please contact skaft@skaftgolf.com and we will delete the account and associated data within 7 days. Users aged 13–18 should review this policy with a parent or guardian.
8. Security
We use industry-standard safeguards including TLS 1.2+ in transit, encryption at rest by Supabase Storage and Postgres, hashed credentials (bcrypt) for passwords stored by Supabase Auth, row-level security so users can only read their own private data, and least-privilege service-role access. No system is perfectly secure, however. If we become aware of a personal-data breach likely to result in risk to your rights, we will notify Persónuvernd within 72 hours and notify affected users by email without undue delay, in line with Art. 33–34 GDPR.
9. Cookies, analytics, and tracking
Neither the SKAFT. mobile app nor the marketing website (skaftgolf.com) uses cookies, analytics SDKs, or tracking pixels at this time. No advertising identifiers (IDFA, GAID) are read. No push-notification tokens are collected.
If we add any of the above in the future (for example, a privacy-respecting analytics tool to understand which features are used), we will update this policy at least 30 days in advance and, where applicable, add an in-app consent prompt and a cookie notice to the website.
10. Changes to this policy
We may update this policy when the law, our practices, or the app changes. Material changes will be announced in-app at least 30 days before they take effect. The “Last updated” date at the top of this document always reflects the current version.
11. Governing law and disputes
This policy is governed by the laws of Iceland. Disputes are subject to the exclusive jurisdiction of the courts of Iceland (Héraðsdómur Reykjavíkur in the first instance), without prejudice to your right to lodge a complaint with Persónuvernd or any other competent supervisory authority.